Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 20, 2025, 6:12 a.m.	April 20, 2025, 6:14 a.m.

Size	84.6KB
Type	ASCII text, with very long lines
MD5	`c9f5aeeca3ad37bf2aa006139b935f0a`
SHA256	`87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de`
CRC32	`1413FF29`
ssdeep	`1536:YNhEyjjTikEJO4edXXe9J578go6MWX2xkj8e4c4j2ll2AckaXEP6n15HZ+FhFcQ7:uxc2yjx4j2uX/kcQDU8Cu9`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vdDd" C:\Users\test22\AppData\Local\Temp\jquery-3.2.1.min.js.pobrane
1608
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\jquery-3.2.1.min.js.pobrane
  2168
  - editplus.exe "editplus.exe"
    2676
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 20, 2025, 6:09 a.m.			0	0
IsDebuggerPresent April 20, 2025, 6:10 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files\mozilla firefox\firefox.exe

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 20, 2025, 6:10 a.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x777879d8 MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7775c280 RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x776f1df8 RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x776f1c80 RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x77713518 RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x776ebf82 RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x776e623c RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x77713488 CreateBindCtx+0x505 CoGetApartmentType-0xbb ole32+0x26c35 @ 0x7fefe076c35 CreateBindCtx+0x3c6 CoGetApartmentType-0x1fa ole32+0x26af6 @ 0x7fefe076af6 DAD_AutoScroll+0x545 ILFree-0x63f shell32+0x99901 @ 0x7fefeae9901 DAD_AutoScroll+0x5af ILFree-0x5d5 shell32+0x9996b @ 0x7fefeae996b SHChangeNotifySuspendResume+0x63b4 ILLoadFromStreamEx-0x1d4c shell32+0x627d4 @ 0x7fefeab27d4 SHChangeNotifySuspendResume+0x6e16 ILLoadFromStreamEx-0x12ea shell32+0x63236 @ 0x7fefeab3236 SHChangeNotifySuspendResume+0x6d10 ILLoadFromStreamEx-0x13f0 shell32+0x63130 @ 0x7fefeab3130 SHDefExtractIconW+0x1e08 SHGetSetSettings-0x710 shell32+0x6ca84 @ 0x7fefeabca84 SignalFileOpen+0x1a1e2 SHGetTemporaryPropertyForItem-0x168e6 shell32+0x16bdce @ 0x7fefebbbdce SignalFileOpen+0x1ee17 SHGetTemporaryPropertyForItem-0x11cb1 shell32+0x170a03 @ 0x7fefebc0a03 SignalFileOpen+0x1ed09 SHGetTemporaryPropertyForItem-0x11dbf shell32+0x1708f5 @ 0x7fefebc08f5 SHDefExtractIconW+0x1a08 SHGetSetSettings-0xb10 shell32+0x6c684 @ 0x7fefeabc684 SHBindToFolderIDListParentEx+0x189f SHCreateItemFromIDList-0x545 shell32+0x9f0eb @ 0x7fefeaef0eb SHGetPropertyStoreForWindow+0x160a DllGetClassObject-0x35e shell32+0xa2c8a @ 0x7fefeaf2c8a SHGetPropertyStoreForWindow+0x1762 DllGetClassObject-0x206 shell32+0xa2de2 @ 0x7fefeaf2de2 IUnknown_GetWindow+0x68f PathFindFileNameW-0xdd shlwapi+0x13843 @ 0x7fefe9c3843 TpCallbackMayRunLong+0x32b RtlQueueWorkItem-0x9c5 ntdll+0x215ab @ 0x776e15ab RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x776e0c26 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 77979472 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 77986800 registers.r11: 646 registers.r8: 3668801806742034531 registers.r9: 1460712879 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1943697694 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 20, 2025, 6:10 a.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4
RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x777879d8
MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7775c280
RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x776f1df8
RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x776f1c80
RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x77713518
RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x776ebf82
RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x776e623c
RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x77713488
CreateBindCtx+0x505 CoGetApartmentType-0xbb ole32+0x26c35 @ 0x7fefe076c35
CreateBindCtx+0x3c6 CoGetApartmentType-0x1fa ole32+0x26af6 @ 0x7fefe076af6
DAD_AutoScroll+0x545 ILFree-0x63f shell32+0x99901 @ 0x7fefeae9901
DAD_AutoScroll+0x5af ILFree-0x5d5 shell32+0x9996b @ 0x7fefeae996b
SHChangeNotifySuspendResume+0x63b4 ILLoadFromStreamEx-0x1d4c shell32+0x627d4 @ 0x7fefeab27d4
SHChangeNotifySuspendResume+0x6e16 ILLoadFromStreamEx-0x12ea shell32+0x63236 @ 0x7fefeab3236
SHChangeNotifySuspendResume+0x6d10 ILLoadFromStreamEx-0x13f0 shell32+0x63130 @ 0x7fefeab3130
SHDefExtractIconW+0x1e08 SHGetSetSettings-0x710 shell32+0x6ca84 @ 0x7fefeabca84
SignalFileOpen+0x1a1e2 SHGetTemporaryPropertyForItem-0x168e6 shell32+0x16bdce @ 0x7fefebbbdce
SignalFileOpen+0x1ee17 SHGetTemporaryPropertyForItem-0x11cb1 shell32+0x170a03 @ 0x7fefebc0a03
SignalFileOpen+0x1ed09 SHGetTemporaryPropertyForItem-0x11dbf shell32+0x1708f5 @ 0x7fefebc08f5
SHDefExtractIconW+0x1a08 SHGetSetSettings-0xb10 shell32+0x6c684 @ 0x7fefeabc684
SHBindToFolderIDListParentEx+0x189f SHCreateItemFromIDList-0x545 shell32+0x9f0eb @ 0x7fefeaef0eb
SHGetPropertyStoreForWindow+0x160a DllGetClassObject-0x35e shell32+0xa2c8a @ 0x7fefeaf2c8a
SHGetPropertyStoreForWindow+0x1762 DllGetClassObject-0x206 shell32+0xa2de2 @ 0x7fefeaf2de2
IUnknown_GetWindow+0x68f PathFindFileNameW-0xdd shlwapi+0x13843 @ 0x7fefe9c3843
TpCallbackMayRunLong+0x32b RtlQueueWorkItem-0x9c5 ntdll+0x215ab @ 0x776e15ab
RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x776e0c26
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x777840f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x777840f2
registers.r14: 0
registers.r15: 0
registers.rcx: 77979472
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 77986800
registers.r11: 646
registers.r8: 3668801806742034531
registers.r9: 1460712879
registers.rdx: 2004857936
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1943697694
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2025, 6:09 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

jquery-3.2.1.min.js.pobrane

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All