Summary | ZeroBOX

cmsh.hta

Antivirus
Category Machine Started Completed
FILE s1_win7_x6402 July 14, 2023, 5:03 p.m. July 14, 2023, 5:05 p.m.
Size 9.2KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 3c38f1318767a3b84a619187e7e78646
SHA256 00a839c372daf84ff8442364bbc491e55e3d3003b6bda3e776367ac4e216ecf3
CRC32 2BFE7E7E
ssdeep 96:rnLI/OcBQVASCmOlH+cSgm2zHj0+KY9DHGOsWkm/81DPg4WrT+:rLImpVASCDQZgT8Tqc1DPg4WrC
Yara
  • Antivirus - Contains references to security software

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
wscript+0x2fbd @ 0x8b2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 2751356
registers.edi: 0
registers.eax: 42006152
registers.ebp: 2751384
registers.edx: 1
registers.ebx: 0
registers.esi: 7053584
registers.ecx: 1945974484
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fa3000
process_handle: 0xffffffff
1 0 0
Symantec ISB.Downloader!gen80
Kaspersky HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
Rising Downloader.Agent/PS!8.1250D (TOPIS:E0:Yf0HoGX0oaL)