@oct0xor that's what caused v1 to be detected. In v2 I tried my best to refactor it until it stopped detecting and have never used it for a PoC since. Still, something must have decided to use it, or Defender is just detecting the use of a native API which happens to be used by malware somewhere.
T