Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
05.05 11:05
University of Alberta....
05.05 07:05
no-login.b3167651.svg
05.05 06:05
a-gif.4d7662a.png
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.04 10:05
mediacje.png
05.04 10:05
Portal orzeczeń - Sąd ...

Latest News
05.06 03:05
Round Displays Make Ne...
05.06 03:05
OpenAI’s Nonprofit Wil...
05.06 03:05
IT Sicherheitsnews tae...
05.06 03:05
Windows 11 24H2 lässt ...
05.06 03:05
Warum ein Janet-Jackso...
05.06 03:05
Vibe-Coding: Wie KI da...
05.06 03:05
Neue Nutzer bekommen k...
05.06 03:05
Blinde KI-Gläubigkeit?...
05.06 03:05
Arctic Wolf Observes E...
05.06 03:05
Federal prosecutors in...

Summary | ZeroBOX

SkXyKtfH.txt

ScreenShot AntiVM AntiDebug

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 27, 2024, 10:37 a.m.	Nov. 27, 2024, 10:39 a.m.

Size	711.0B
Type	PHP script, ASCII text, with CRLF line terminators
MD5	`cc9c30f64dc341f3326e0ba75934eb81`
SHA256	`5603b4272979a6b034d5c6b8100166df496411bb5d4cc7aa216febb0f2440976`
CRC32	`EBEA593F`
ssdeep	`12:xjWp2D4XpRi5aHZMchldmZNF7NYLw3JFNADLlZ3PeYL4kZzxVUKlaol2ktH5e:xj14XpYwMchOdNYLw0+O4kNjUKla452`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "JlhTEaYr" C:\Users\test22\AppData\Local\Temp\SkXyKtfH.txt
2572
- notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Local\Temp\SkXyKtfH.txt
  2680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 27, 2024, 12:41 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 27, 2024, 12:41 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1	0	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ESET-NOD32	PHP/Webshell.NJN
Kaspersky	HEUR:Trojan.PHP.Kryptik.gen
Sophos	Troj/PHPShel-BW
Google	Detected
AhnLab-V3	WebShell/PHP.Generic.S1580
huorong	Backdoor/PHP.TinyShell.g
Fortinet	PHP/Webshell.NJN!tr

Yara rule detected in process memory (9 events)

description	Take ScreenShot				rule	ScreenShot
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep