popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

647-b3e4f9fea21da5c1.js.pobrane

AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 27, 2025, 5:30 a.m. April 27, 2025, 5:33 a.m.
Size 19.8KB
Type UTF-8 Unicode text, with very long lines, with no line terminators
MD5 50250accabdb2fac94029c4f93c49d53
SHA256 a27bfa54a23d11c2512da20ceba2ac5382d0becbe76bc12a863e2ce86a9a832d
CRC32 1E2A9F4F
ssdeep 384:8ob+Qijlf9kXhmXRryzvBi67q9JFuRBuTGtsXl7CxgdNl0tEl+YLCxvfVLvYdmwA:8ob+Qijlf9kXhmhWzpi67q9JFuRBuTGd
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
file c:\program files\mozilla firefox\firefox.exe
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x773540f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77354736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77355942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x773575f4
RtlLogStackBackTrace+0x828 RtlTraceDatabaseCreate-0x108 ntdll+0xc79d8 @ 0x773579d8
MD5Final+0x9cb0 TpDbgSetLogRoutine-0x6920 ntdll+0x9c280 @ 0x7732c280
RtlSubAuthorityCountSid+0xcc8 RtlCompareUnicodeStrings-0x4b8 ntdll+0x31df8 @ 0x772c1df8
RtlSubAuthorityCountSid+0xb50 RtlCompareUnicodeStrings-0x630 ntdll+0x31c80 @ 0x772c1c80
RtlAllocateHeap+0x178 AlpcGetMessageAttribute-0x14e8 ntdll+0x53518 @ 0x772e3518
RtlUpcaseUnicodeChar+0x342 EtwEventEnabled-0x12e ntdll+0x2bf82 @ 0x772bbf82
RtlQueryEnvironmentVariable+0x70c _wcsicmp-0x744 ntdll+0x2623c @ 0x772b623c
RtlAllocateHeap+0xe8 AlpcGetMessageAttribute-0x1578 ntdll+0x53488 @ 0x772e3488
SHParseDisplayName+0x1682 AssocGetDetailsOfPropKey-0xbfe shell32+0x85bf2 @ 0x7fefe465bf2
ILClone+0x1ea ILGetSize-0xad6 shell32+0x9abca @ 0x7fefe47abca
ILClone+0x17e ILGetSize-0xb42 shell32+0x9ab5e @ 0x7fefe47ab5e
SHBindToObject+0x4f ILFindLastID-0x91 shell32+0x9ba3f @ 0x7fefe47ba3f
SHBindToFolderIDListParentEx+0x8a SHCreateItemFromIDList-0x1d5a shell32+0x9d8d6 @ 0x7fefe47d8d6
DriveType+0x1522 SHLoadInProc-0x5212 shell32+0x729fa @ 0x7fefe4529fa
SHDefExtractIconW+0x1a08 SHGetSetSettings-0xb10 shell32+0x6c684 @ 0x7fefe44c684
SHBindToFolderIDListParentEx+0x189f SHCreateItemFromIDList-0x545 shell32+0x9f0eb @ 0x7fefe47f0eb
SHGetPropertyStoreForWindow+0x160a DllGetClassObject-0x35e shell32+0xa2c8a @ 0x7fefe482c8a
SHGetPropertyStoreForWindow+0x1762 DllGetClassObject-0x206 shell32+0xa2de2 @ 0x7fefe482de2
IUnknown_GetWindow+0x68f PathFindFileNameW-0xdd shlwapi+0x13843 @ 0x7fefdf53843
TpCallbackMayRunLong+0x32b RtlQueueWorkItem-0x9c5 ntdll+0x215ab @ 0x772b15ab
RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x772b0c26
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x773540f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x773540f2
registers.r14: 0
registers.r15: 0
registers.rcx: 73524048
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 73530656
registers.r11: 646
registers.r8: 4260079324062961881
registers.r9: 799649237
registers.rdx: 2000467024
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1935491088
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742f0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73eb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f42000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75231000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x723a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x723a3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f42000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x723a3000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden