Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 2, 2025, 1:13 a.m.	May 2, 2025, 1:15 a.m.

Size	20.4KB
Type	UTF-8 Unicode text, with very long lines
MD5	`bc5aeebc1c2e80a5abf1424a06504ee0`
SHA256	`9205ddd7bf3326d16cc3708f071e756eddc82ca4a77ff6a660cb14b8651bbbc0`
CRC32	`2A2228AE`
ssdeep	`192:Z+SURCKY60VXzWKTu/9MohwUWXpKv9p4vuTgGViSauvYGe4zJ97EBiQWdPLtUxaB:suVTs9M2DouTUSaG3+38+wx`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "pVEVxBM" C:\Users\test22\AppData\Local\Temp\vendor-3dfac8a4.346d055a.js.pobrane
1280
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\vendor-3dfac8a4.346d055a.js.pobrane
  2080
  - editplus.exe "editplus.exe"
    2612
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2025, 12:59 a.m.			0	0
IsDebuggerPresent May 2, 2025, 12:59 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files\mozilla firefox\firefox.exe

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 2, 2025, 12:59 a.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x777879d8 MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7775c280 RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x776f1df8 RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x776f1c80 RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x77713518 RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x776ebf82 RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x776e623c RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x77713488 SHGetDataFromIDListW+0x2671 SHGetFolderPathAndSubDirW-0x382f shell32+0x3c78d @ 0x7fefea8c78d SHGetDataFromIDListW+0x24f6 SHGetFolderPathAndSubDirW-0x39aa shell32+0x3c612 @ 0x7fefea8c612 SHGetDataFromIDListW+0x9c9 SHGetFolderPathAndSubDirW-0x54d7 shell32+0x3aae5 @ 0x7fefea8aae5 SHGetDataFromIDListW+0x1b67 SHGetFolderPathAndSubDirW-0x4339 shell32+0x3bc83 @ 0x7fefea8bc83 ILIsParent+0x54bcd SHCreateStdEnumFmtEtc-0x1be63 shell32+0x1fb03d @ 0x7fefec4b03d SHGetDataFromIDListW+0x3490 SHGetFolderPathAndSubDirW-0x2a10 shell32+0x3d5ac @ 0x7fefea8d5ac ILIsParent+0x54edb SHCreateStdEnumFmtEtc-0x1bb55 shell32+0x1fb34b @ 0x7fefec4b34b SHCreateShellItem+0x4654 StrStrIW-0xb494 shell32+0xfe1f8 @ 0x7fefeb4e1f8 SHGetSpecialFolderLocation+0x10d0 ShellExecuteExW-0x429c shell32+0x239d4 @ 0x7fefea739d4 ILSaveToStream+0x1009 SHGetItemFromDataObject-0x13f7 shell32+0x4cd59 @ 0x7fefea9cd59 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1 SetTimer+0x178 GetDC-0x28 user32+0x16aa8 @ 0x77256aa8 SendMessageW+0x5d GetClientRect-0x1b user32+0x16bad @ 0x77256bad SHChangeNotification_Lock+0xd3 SHChangeNotification_Unlock-0x15 shell32+0x9725b @ 0x7fefeae725b TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1 SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x772572cb IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x77256829 KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x77711225 PeekMessageW+0xba KillTimer-0x96 user32+0x1908a @ 0x7725908a PeekMessageW+0x85 KillTimer-0xcb user32+0x19055 @ 0x77259055 SHGetKnownFolderPath+0x1874 DAD_DragEnterEx-0x2b8 shell32+0xa6558 @ 0x7fefeaf6558 SHGetKnownFolderPath+0x18c0 DAD_DragEnterEx-0x26c shell32+0xa65a4 @ 0x7fefeaf65a4 FindExecutableW+0x66e5 SHQueryUserNotificationState-0x3bbb shell32+0x7765 @ 0x7fefea57765 explorer+0x20ac1 @ 0xffd30ac1 explorer+0x2b911 @ 0xffd3b911 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1956896 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1965792 registers.r11: 646 registers.r8: 3668801806742034531 registers.r9: 1460712879 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002942542 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 2, 2025, 12:59 a.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4
RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x777879d8
MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7775c280
RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x776f1df8
RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x776f1c80
RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x77713518
RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x776ebf82
RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x776e623c
RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x77713488
SHGetDataFromIDListW+0x2671 SHGetFolderPathAndSubDirW-0x382f shell32+0x3c78d @ 0x7fefea8c78d
SHGetDataFromIDListW+0x24f6 SHGetFolderPathAndSubDirW-0x39aa shell32+0x3c612 @ 0x7fefea8c612
SHGetDataFromIDListW+0x9c9 SHGetFolderPathAndSubDirW-0x54d7 shell32+0x3aae5 @ 0x7fefea8aae5
SHGetDataFromIDListW+0x1b67 SHGetFolderPathAndSubDirW-0x4339 shell32+0x3bc83 @ 0x7fefea8bc83
ILIsParent+0x54bcd SHCreateStdEnumFmtEtc-0x1be63 shell32+0x1fb03d @ 0x7fefec4b03d
SHGetDataFromIDListW+0x3490 SHGetFolderPathAndSubDirW-0x2a10 shell32+0x3d5ac @ 0x7fefea8d5ac
ILIsParent+0x54edb SHCreateStdEnumFmtEtc-0x1bb55 shell32+0x1fb34b @ 0x7fefec4b34b
SHCreateShellItem+0x4654 StrStrIW-0xb494 shell32+0xfe1f8 @ 0x7fefeb4e1f8
SHGetSpecialFolderLocation+0x10d0 ShellExecuteExW-0x429c shell32+0x239d4 @ 0x7fefea739d4
ILSaveToStream+0x1009 SHGetItemFromDataObject-0x13f7 shell32+0x4cd59 @ 0x7fefea9cd59
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
SetTimer+0x178 GetDC-0x28 user32+0x16aa8 @ 0x77256aa8
SendMessageW+0x5d GetClientRect-0x1b user32+0x16bad @ 0x77256bad
SHChangeNotification_Lock+0xd3 SHChangeNotification_Unlock-0x15 shell32+0x9725b @ 0x7fefeae725b
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77259bd1
SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x772572cb
IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x77256829
KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x77711225
PeekMessageW+0xba KillTimer-0x96 user32+0x1908a @ 0x7725908a
PeekMessageW+0x85 KillTimer-0xcb user32+0x19055 @ 0x77259055
SHGetKnownFolderPath+0x1874 DAD_DragEnterEx-0x2b8 shell32+0xa6558 @ 0x7fefeaf6558
SHGetKnownFolderPath+0x18c0 DAD_DragEnterEx-0x26c shell32+0xa65a4 @ 0x7fefeaf65a4
FindExecutableW+0x66e5 SHQueryUserNotificationState-0x3bbb shell32+0x7765 @ 0x7fefea57765
explorer+0x20ac1 @ 0xffd30ac1
explorer+0x2b911 @ 0xffd3b911
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x777840f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x777840f2
registers.r14: 0
registers.r15: 0
registers.rcx: 1956896
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1965792
registers.r11: 646
registers.r8: 3668801806742034531
registers.r9: 1460712879
registers.rdx: 2004857936
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2002942542
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 12:59 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

vendor-3dfac8a4.346d055a.js.pobrane

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All