5d2eb0daffb9b5b49ef89add1c9140a66acb2e354fdb97e7b46fdb92e7d63818

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\lnkfile\shellex	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\lnkfile\shellex\ContextMenuHandlers	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

155 1624 msiexec.exe
Downloads MZ/PE file

flow	pid	process
155	1624	msiexec.exe

Executes dropped EXE 20 IoCs

Processes:

Office365.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeC2RClient.exeintegrator.exeOSE.EXEOSPPSVC.EXEintegrator.exeintegrator.exeintegrator.exeperfboost.exeAppVShNotify.exeAppVShNotify.exeintegrator.exeOneDriveSetup.exeOLicenseHeartbeat.exeOneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exe

pid	process
1684	Office365.exe
792	OfficeClickToRun.exe
988	OfficeClickToRun.exe
1220
1040	OfficeC2RClient.exe
2760	integrator.exe
2104	OSE.EXE
1568	OSPPSVC.EXE
2724	integrator.exe
2196	integrator.exe
1008	integrator.exe
1116	perfboost.exe
2360	AppVShNotify.exe
980	AppVShNotify.exe
2792	integrator.exe
2656	OneDriveSetup.exe
524	OLicenseHeartbeat.exe
2600	OneDriveSetup.exe
2812	OneDriveSetup.exe
1680	FileSyncConfig.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Office365.exeOfficeClickToRun.exeOfficeC2RClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\International\Geo\Nation	Office365.exe
Key value queried	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\International\Geo\Nation	OfficeC2RClient.exe

Loads dropped DLL 64 IoCs

Processes:

AutoInstall_zNvtuIFmBw.exeOffice365.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeC2RClient.exe

pid	process
1052	AutoInstall_zNvtuIFmBw.exe
1684	Office365.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
988	OfficeClickToRun.exe
1220
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TeamsMachineInstaller = "%ProgramFiles%\\Teams Installer\\Teams.exe --checkInstall --source=PROPLUS"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

OfficeClickToRun.exeFileSyncConfig.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\DataServices\DESKTOP.INI	OfficeClickToRun.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 64 IoCs

Processes:

OfficeClickToRun.exeDrvInst.exeintegrator.exeDrvInst.exeintegrator.exeintegrator.exeintegrator.exemsiexec.exemofcomp.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SendToOneNote.ini	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET4080.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\prnSendToOneNote.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405D.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SendToOneNote-pipelineconfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	OfficeClickToRun.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File created	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_neutral_c3bdcb6fc975b614\prnms006.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsendtoonenote_win7.inf_amd64_neutral_051c91a57330a58b\prnsendtoonenote_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D7E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D93.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsendtoonenote_win7.inf_amd64_neutral_051c91a57330a58b\prnSendToOneNote_Win7.PNF	DrvInst.exe
File created	\??\c:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-wal	integrator.exe
File created	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D80.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D81.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	integrator.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SendToOneNote.gpd	DrvInst.exe
File created	\??\c:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	\??\c:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File created	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D81.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\prnSendToOneNote_Win7.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsendtoonenote_win7.inf_amd64_neutral_051c91a57330a58b\prnsendtoonenote_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-journal	integrator.exe
File created	\??\c:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405F.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof	mofcomp.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SendToOneNote-manifest.ini	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405E.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journal	OfficeClickToRun.exe
File created	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SET3D7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\SendToOneNoteNames.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}	DrvInst.exe
File created	\??\c:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{72dc9a6a-dd8f-7b6f-7062-18451f90eb2a}\prnms006.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SET405D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{496b9a29-b24c-3328-4a4d-bd46fa076446}\SendToOneNoteFilter.dll	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

OfficeClickToRun.exemsiexec.exeOffice365.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0309904.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms	OfficeClickToRun.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\SL01041_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\api-ms-win-crt-string-l1-1-0.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Help\hxds.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\MEDIA\SUCTION.WAV	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\PUBSPAPR\PDIR42F.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0099176.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0107658.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0086426.WMF	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2R26583F3B-2567-4180-84B2-FFAF92CFB38B\C2RINTL.hi-in.dll	Office365.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Document Themes 16\Theme Colors\Aspect.xml	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\FLAP.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\Fonts\private\ARIALNB.TTF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\PUBSPAPR\ZPDIR4B.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0105398.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\J0107516.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\BD09194_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\BS00441_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\api-ms-win-crt-convert-l1-1-0.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\mscss7en.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Root\rsodWoW6432\accessmuiset.msi.16.en-us.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\LogoImages\MsAccessLogoSmall.contrast-white_scale-140.png	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\CONVERT\1033\DELIMR.FAE	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\WB01297_.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\FORMS\1033\IPMS.ICO	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\SKYPEFB_COL.HXT	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\OCSAEXT.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\PE00272_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\Media\LYNC_ringtone5.wav	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\PUBWIZ\POSTCARD.DPV	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\Fonts\private\MAIAN.TTF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Client\api-ms-win-core-xstate-l2-1-0.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\OutlookAutoDiscover\YAHOO.PL.XML	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\MSOUC_F_COL.HXK	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\mscss7es.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\PUB60COR\NA01468_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\OCHelper.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\SystemX86\mfc140enu.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\Media\LYNC_callended.wav	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\CLIPART\Publisher\Backgrounds\WB00780L.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\PUBSPAPR\ZPDIR41F.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\1033\PUBSPAPR\PDIR41F.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\OutlookAutoDiscover\BTINTERNET.NET.XML	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Office16\PUBWIZ\SIDEBARBB.DPV	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Updates\Download\PackageFiles\F3225E87-99E9-4623-BB85-4483E8E659C7\root\vfs\ProgramFilesCommonX86\System\MSMAPI\1033\MSMAPI32.DLL	OfficeClickToRun.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exengen.exengen.exengen.exerundll32.exengen.exengen.exeOfficeClickToRun.exengen.exengen.exengen.exengen.exengen.exengen.exengen.exerundll32.exengen.exengen.exengen.exengen.exengen.exengen.exengen.exe

description	ioc	process
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\CONTAB32.DLL	msiexec.exe
File created	\??\c:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	msiexec.exe
File created	\??\c:\Windows\Installer\f7c6ed8.ipi	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol62.dat	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI2EBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3664.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\MAPIPH.DLL	msiexec.exe
File created	C:\Windows\assembly\tmp\FBF1840C\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol4.dat	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\OMSMAIN.DLL	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FF4.tmp-\Microsoft.Data.Edm.dll	rundll32.exe
File created	C:\Windows\assembly\tmp\A4VWGU3U\Q2497OUW	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\ARIALNI.tt2	OfficeClickToRun.exe
File created	C:\Windows\assembly\tmp\23MFFI5E\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI1D3.tmp	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\Microsoft.VisualStudio.Tools.Applications.Runtime.v10_GAC.x86.enu.452A3D81_F519_47A5_A9B2_7DEE71379BC4	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\BCYWS2F9\Microsoft.Office.Tools.Word.v9.0.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	\??\c:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\graph.ico	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File created	C:\Windows\assembly\tmp\J4FPJASV\Policy.14.0.Microsoft.Office.Interop.Access.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f7c6e98.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5924.tmp	msiexec.exe
File created	C:\Windows\assembly\tmp\GHDQUYCA\UETROZ69	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\temp\BS45NYG8L7\Microsoft.Office.Tools.Excel.v9.0.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC82C.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\FL_Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10_GAC_x86.enu.452A3D81_F519_47A5_A9B2_7DEE71379BC4	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10_GAC.x86.enu.452A3D81_F519_47A5_A9B2_7DEE71379BC4	msiexec.exe
File created	C:\Windows\assembly\tmp\XLJEP9CW\Policy.11.0.Microsoft.Office.Interop.Publisher.dll	msiexec.exe
File created	C:\Windows\assembly\tmp\37YNB8X9\FDS7IS7M	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\PSTPRX32.DLL	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7798.tmp	msiexec.exe
File created	C:\Windows\fonts\NIRMALAB.TTF	OfficeClickToRun.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\FL_Microsoft_VisualStudio_Tools_Applications_Hosting_v10_x86.452A3D81_F519_47A5_A9B2_7DEE71379BC4	msiexec.exe
File created	C:\Windows\assembly\tmp\ZESZBH0K\Microsoft.Office.Tools.Common.Implementation.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\f7c6ef2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75A5.tmp-\ICSharpCode.SharpZipLib.dll	rundll32.exe
File opened for modification	\??\c:\Windows\Installer\f7c6ea0.msp	msiexec.exe
File created	C:\Windows\assembly\tmp\P79LUEGB\Policy.12.0.Microsoft.Office.Interop.PowerPoint.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\assembly\temp\H4PRD7NOFY\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\temp\A8ANG3UO9D\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\ALGER.tt2	OfficeClickToRun.exe
File created	\??\c:\Windows\Installer\f7c6e95.msi	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\L612WO4UH4\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\FL_MSVSTORuntime_GAC_x86.enu.452A3D81_F519_47A5_A9B2_7DEE71379BC4	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol67.dat	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

integrator.exeOfficeClickToRun.exeOfficeClickToRun.exeintegrator.exeintegrator.exeOffice365.exeOLicenseHeartbeat.exeintegrator.exeintegrator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Office365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OLicenseHeartbeat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Office365.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Office365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OLicenseHeartbeat.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OLicenseHeartbeat.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1168 schtasks.exe
2668 schtasks.exe
2768 schtasks.exe
2364 schtasks.exe
2992 schtasks.exe
3060 schtasks.exe
972 schtasks.exe
872 schtasks.exe

pid	process
1168	schtasks.exe
2668	schtasks.exe
2768	schtasks.exe
2364	schtasks.exe
2992	schtasks.exe
3060	schtasks.exe
972	schtasks.exe
872	schtasks.exe

Enumerates system info in registry 2 TTPs 27 IoCs

Query Registry

System Information Discovery

Processes:

Office365.exeintegrator.exeintegrator.exeintegrator.exeOLicenseHeartbeat.exeOfficeClickToRun.exeOfficeClickToRun.exeintegrator.exeintegrator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Office365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OLicenseHeartbeat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Office365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OLicenseHeartbeat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OLicenseHeartbeat.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Office365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

integrator.exemsiexec.exemsohtmed.exeintegrator.exemsohtmed.exeOneDriveSetup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\powerpnt.exe = "13"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\ONBttnIE.dll,103"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\VSTOInstaller.exe = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	msohtmed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\LICLUA.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\OSPPSVC.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\ONBttnIE.dll,103"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72C8AC02-75E8-4444-9422-02FB7B43EC45}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\OSE.EXE = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	msohtmed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\OSPPREARM.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "2"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\OUTLOOK.EXE = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	msohtmed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\OSPPSVC.EXE = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "Lync Click to Call"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SECURITYBAND\OUTLOOK.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\OUTLOOK.EXE = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	msohtmed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	msohtmed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\outlook.exe = "13"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuText = "Lync Click to Call"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ClsidExtension = "{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\OUTLOOK.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	msohtmed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\msoasb.exe = "11000"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "2"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll,103"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "2"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\VSTOInstaller.exe = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	msohtmed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes"	integrator.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	OneDriveSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8D13E03F-8289-4c15-A84F-7A8F655C830A}\Policy = "3"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	msohtmed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\OSPPREARM.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72C8AC02-75E8-4444-9422-02FB7B43EC45}\AppName = "lync.exe"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\OSPPREARM.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\Compatibility Flags = "1024"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\HotIcon = "C:\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\lync.exe,1"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\OUTLOOK.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonText = "Lync Click to Call"	integrator.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

msiexec.exeOfficeClickToRun.exeDrvInst.exeintegrator.exeintegrator.exeintegrator.exeintegrator.exeDrvInst.exeintegrator.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\integrator.exe	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	integrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\PPTChangeInstallLanguage = "No"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-64-0a-41-09-79\WpadDecisionTime = 50ce1666eee3d701	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\integrator.exe\ULSMonitor	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	integrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-64-0a-41-09-79\WpadDecisionTime = d0942d9eefe3d701	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EECD2BE-42B4-4E16-B4A3-01C3330A8E41}\WpadNetworkName = "Network 3"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	integrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9EECD2BE-42B4-4E16-B4A3-01C3330A8E41}\WpadDecisionTime = f08e1290efe3d701	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	integrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-64-0a-41-09-79\WpadDecisionTime = 50643b41efe3d701	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\TrustCenter	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	integrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\integrator.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=integrator.exe&Version=16.0.12527.21962&ClientId={3C52676B-F1E4-4AD3-BF29-BA5C3F0F94F9}&OSEnvironment=10&MsoAppId=37&AudienceName=DCWin7_CC_Production&AudienceGroup=Production&AppVersion=16.0.12527.21962&"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	integrator.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	integrator.exe

Modifies registry class 64 IoCs

Processes:

OfficeClickToRun.exemsiexec.exemsohtmed.exeOneDriveSetup.exeintegrator.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD876261-4399-11D3-B65B-00C04F8EF32D}\ = "ParagraphFormat"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4265ED97-A922-4CA4-8CD8-99684CCA9CDB}\TypeLib\Version = "8.7"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6A7167F1-2432-11CF-956F-00AA004B9DFA}\11.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcs\OpenWithProgids\Outlook.File.vcs.14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10FDD9BA-0CBA-4958-B6C8-D0912BF2703F}\TypeLib	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B06E321-B23C-11CF-89A8-00A0C9054129}\InprocServer32\Class = "Microsoft.Office.Interop.Access.ClassClass"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0006F053-0000-0000-C000-000000000046}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\Version = "9.6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.12\shell\Open\ = "@C:\\Program Files (x86)\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\oregres.dll,-3"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\Version\ = "2.0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00024500-0000-0000-C000-000000000046}\ = "Microsoft Excel Application"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{DD79733B-5E46-49C9-8400-6BCF316EC79E}\15.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C818-3CFD-11D1-98BC-006008197D41}\InprocServer32\Assembly = "Microsoft.Office.Interop.Access, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxq\OpenWithProgids\MSHelp.hxq.2.5 = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Outlook.File.msg.15	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\Verb\1\ = "&Edit,0,2"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4EAFEE76-D0A4-3E29-A16B-A600C4036497}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Graph, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{02F92C80-8F8E-101B-AF4E-00AA003F0F07}\InprocServer32\15.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1\shell\open\ddeexec\topic\ = "ShellSystem"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E70526D-92D1-43CC-A57B-ED48BCCC711D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	msohtmed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\shell\Open\ = "@C:\\Program Files (x86)\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\oregres.dll,-3"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Wow6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000208B9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000208C0-0000-0000-C000-000000000046}\ = "Corners"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000244E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF037274-455A-4E34-B5D1-D42DB866F9B7}	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5B9DA1C7-ED04-3544-B119-74CA6CF7B3A8}\15.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{37A02BE5-379A-3142-92CD-0E4C5EDC133D}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\otkloadr.WRLoader\ = "CWRLoader Object"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{74296637-F32E-356F-A03A-D1E4574613FC}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Graph, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Access.ACCDTFile.16	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-access\shell\open\command\ = "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\protocolhandler.exe \"%1\""	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Edit\ = "@C:\\Program Files (x86)\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\oregres.dll,-1"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\MiscStatus	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{071716C7-3D5F-4022-8C45-93F522DE7F5E}\ = "INameServerEvents"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.WorksheetClass"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F04A-0000-0000-C000-000000000046}\Version\ = "9.4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.OlkPageControl\CurVer\ = "Outlook.OlkPageControl.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sip\URL Protocol	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03C9-0000-0000-C000-000000000046}\TypeLib\Version = "2.8"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\VersionIndependentProgID\ = "PortalConnect14.PersonalSite"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9D06257A-DA0F-358F-9A15-4D1EFB87D61A}\15.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\conf\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\lync.exe"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36CDC166-4F21-46AD-A60E-8551F26C1D41}	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62A75516-C79B-42D7-8B49-3BA492C2B385}\TypeLib	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00024427-0000-0000-C000-000000000046}\TypeLib\Version = "1.9"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209AA-0000-0000-C000-000000000046}\TypeLib\Version = "8.7"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\Software\Classes\mapifvbx.object	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1712-0000-0000-C000-000000000046}\TypeLib\Version = "2.8"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002448F-0000-0000-C000-000000000046}\TypeLib\Version = "1.9"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002097A-0000-0000-C000-000000000046}\TypeLib\Version = "8.7"	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.docx\PerceivedType = "document"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002442C-0000-0000-C000-000000000046}\ = "ODBCError"	OfficeClickToRun.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

AutoInstall_zNvtuIFmBw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	AutoInstall_zNvtuIFmBw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	AutoInstall_zNvtuIFmBw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	AutoInstall_zNvtuIFmBw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoInstall_zNvtuIFmBw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoInstall_zNvtuIFmBw.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exemsiexec.exeOneDriveSetup.exe

pid	process
1616	powershell.exe
928	powershell.exe
1624	msiexec.exe
1624	msiexec.exe
2812	OneDriveSetup.exe
2812	OneDriveSetup.exe
2812	OneDriveSetup.exe
2812	OneDriveSetup.exe
2812	OneDriveSetup.exe
2812	OneDriveSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AutoInstall_zNvtuIFmBw.exe

pid process

1052 AutoInstall_zNvtuIFmBw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AutoInstall_zNvtuIFmBw.exepowershell.exepowershell.exeOfficeClickToRun.exeintegrator.exeDrvInst.exeDrvInst.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1052	AutoInstall_zNvtuIFmBw.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: 35	988	OfficeClickToRun.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2208	DrvInst.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	2760	integrator.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeSecurityPrivilege	1832	wevtutil.exe
Token: SeBackupPrivilege	1832	wevtutil.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

OfficeClickToRun.exeOfficeC2RClient.exe

pid	process
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
1040	OfficeC2RClient.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

OfficeClickToRun.exe

pid	process
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe
792	OfficeClickToRun.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Office365.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeC2RClient.exeintegrator.exeintegrator.exeintegrator.exeintegrator.exeintegrator.exeOLicenseHeartbeat.exe

pid	process
1684	Office365.exe
792	OfficeClickToRun.exe
988	OfficeClickToRun.exe
1040	OfficeC2RClient.exe
1040	OfficeC2RClient.exe
2760	integrator.exe
2724	integrator.exe
2196	integrator.exe
1008	integrator.exe
2792	integrator.exe
524	OLicenseHeartbeat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AutoInstall_zNvtuIFmBw.exeOffice365.exeOfficeClickToRun.exeintegrator.exewevtutil.exe

description	pid	process	target process
PID 1052 wrote to memory of 1684	1052	AutoInstall_zNvtuIFmBw.exe	Office365.exe
PID 1052 wrote to memory of 1684	1052	AutoInstall_zNvtuIFmBw.exe	Office365.exe
PID 1052 wrote to memory of 1684	1052	AutoInstall_zNvtuIFmBw.exe	Office365.exe
PID 1052 wrote to memory of 1684	1052	AutoInstall_zNvtuIFmBw.exe	Office365.exe
PID 1684 wrote to memory of 1616	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 1616	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 1616	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 1616	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 928	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 928	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 928	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 928	1684	Office365.exe	powershell.exe
PID 1684 wrote to memory of 792	1684	Office365.exe	OfficeClickToRun.exe
PID 1684 wrote to memory of 792	1684	Office365.exe	OfficeClickToRun.exe
PID 1684 wrote to memory of 792	1684	Office365.exe	OfficeClickToRun.exe
PID 1684 wrote to memory of 792	1684	Office365.exe	OfficeClickToRun.exe
PID 988 wrote to memory of 2760	988	OfficeClickToRun.exe	integrator.exe
PID 988 wrote to memory of 2760	988	OfficeClickToRun.exe	integrator.exe
PID 988 wrote to memory of 2760	988	OfficeClickToRun.exe	integrator.exe
PID 988 wrote to memory of 2760	988	OfficeClickToRun.exe	integrator.exe
PID 2760 wrote to memory of 2940	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2940	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2940	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2940	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2992	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2992	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2992	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2992	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3032	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3032	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3032	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3032	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3060	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3060	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3060	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 3060	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2132	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2132	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2132	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2132	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 972	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 972	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 972	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 972	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2084	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2084	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2084	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 2084	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 872	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 872	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 872	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 872	2760	integrator.exe	schtasks.exe
PID 2760 wrote to memory of 1832	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 1832	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 1832	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 1832	2760	integrator.exe	wevtutil.exe
PID 1832 wrote to memory of 1492	1832	wevtutil.exe	wevtutil.exe
PID 1832 wrote to memory of 1492	1832	wevtutil.exe	wevtutil.exe
PID 1832 wrote to memory of 1492	1832	wevtutil.exe	wevtutil.exe
PID 1832 wrote to memory of 1492	1832	wevtutil.exe	wevtutil.exe
PID 2760 wrote to memory of 2296	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 2296	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 2296	2760	integrator.exe	wevtutil.exe
PID 2760 wrote to memory of 2296	2760	integrator.exe	wevtutil.exe

C:\Users\Admin\AppData\Local\Temp\AutoInstall_zNvtuIFmBw.exe
"C:\Users\Admin\AppData\Local\Temp\AutoInstall_zNvtuIFmBw.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Test\Office365.exe
"C:\Test\Office365.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.12527.22060 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:792

C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
"C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" /silent
4⤵
- Executes dropped EXE
PID:2656

C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
"C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /permachine /silent /childprocess /cusid:S-1-5-21-103686315-404690609-2047157615-1000
5⤵
- Executes dropped EXE
PID:2600

C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /peruser /childprocess
5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe"
6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:1680

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe
OLicenseHeartbeat.exe tokenactivate
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:524

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
integrator.exe /U /Extension /Msi /License PRIDName= PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files (x86)\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"
3⤵
PID:2940

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"
3⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"
3⤵
PID:3032

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"
3⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016"
3⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml"
3⤵
- Creates scheduled task(s)
PID:972

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016"
3⤵
PID:2084

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"
3⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /fromwow64
4⤵
PID:1492

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll"
3⤵
PID:2296

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /fromwow64
4⤵
PID:1116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll"
3⤵
PID:1756

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /fromwow64
4⤵
PID:2336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll"
3⤵
PID:2344

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\wwlib.dll" /fromwow64
4⤵
PID:980

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll"
3⤵
PID:784

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /fromwow64
4⤵
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office ClickToRun Service Monitor"
2⤵
PID:2212

C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Msi MsiName=SPPRedist.msi,SPPRedist64.msi PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files (x86)\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
2⤵
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office ClickToRun Service Monitor" /XML "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ServiceWatcherSchedule.xml"
2⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
2⤵
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable
2⤵
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Automatic Updates 2.0"
2⤵
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
2⤵
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Automatic Updates 2.0" /XML "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\FrequentOfficeUpdateSchedule.xml"
2⤵
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
2⤵
PID:3020

C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /License PRIDName=O365ProPlusRetail.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files (x86)\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Extension /Sunrise PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files (x86)\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Program Files (x86)\Microsoft Office\root\Office16\perfboost.exe
perfboost.exe EnsureVE
2⤵
- Executes dropped EXE
PID:1116

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe"
2⤵
- Executes dropped EXE
PID:2360

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe"
2⤵
- Executes dropped EXE
PID:980

C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RInt64.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files (x86)\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"
3⤵
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"
3⤵
- Creates scheduled task(s)
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"
3⤵
PID:2316

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"
3⤵
- Creates scheduled task(s)
PID:2364

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll"
3⤵
PID:3000

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\Office16\msoetwres.dll" /fromwow64
4⤵
PID:2516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll"
3⤵
PID:2984

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\mso.dll" /fromwow64
4⤵
PID:1800

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\teams.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{FB9843BB-0D8A-4347-A227-C759C3FC9103}@INSTALL"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Windows\TEMP\{566965a4-e065-5285-9f4e-175ade09de59}\prnms006.inf" "9" "6c684210b" "000000000000005C" "Service-0x0-3e7$\Default" "00000000000005AC" "208" "C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OneNote"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Windows\TEMP\{07c8c364-ab32-39d4-35ee-ec5adc9f2842}\prnSendToOneNote_Win7.inf" "9" "60e91ee2f" "00000000000005AC" "Service-0x0-3e7$\Default" "00000000000003DC" "208" "C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OneNote"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1624

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 99D9C93CB65443094703E9BBA731DC4E M Global\MSI0000
2⤵
PID:2396

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1100

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2320

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1040

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2060

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:564

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:1564

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1800

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2212

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:1812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:672

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2724

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2708

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2512

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2540

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2568

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2596

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2624

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2652

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2744

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1416

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2960

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2980

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2996

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3052

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2268

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2088

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2148

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2168

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1008

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2260

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2436

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1404

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1704

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1716

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1044

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2300

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2140

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2320

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1040

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:364

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:764

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2312

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2340

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1664

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2352

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1284

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1700

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:976

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2488

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2512

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2544

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2592

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2612

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2632

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2624

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2664

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2768

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3044

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2944

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2960

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2984

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3056

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2232

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2100

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1680

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2116

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2148

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2172

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2264

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2056

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:1828

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:768

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2052

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2304

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1716

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:600

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2328

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:1608

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:980

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2344

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1276

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:784

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:1308

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2412

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2212

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2276

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:672

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2444

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2504

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2516

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2564

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2584

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2604

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2616

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2644

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2656

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2652

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2768

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2956

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2976

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3024

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3040

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2996

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2132

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2348

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1680

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:872

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2148

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1528

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1408

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2056

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:108

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1124

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1492

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2884

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1676

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:868

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2300

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1956

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2320

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1708

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1276

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1164

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1308

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1392

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2212

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
3⤵
PID:1812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
3⤵
PID:1284

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:2704

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:2556

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 96B28CE174F3A74D2ED7BC12B6861752 M Global\MSI0000
2⤵
PID:2572

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding AD0F03A1D0451C9176E9FC179FF424B8 M Global\MSI0000
2⤵
PID:1440

\??\c:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe
"c:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe" /shutdown
3⤵
PID:3052

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:1772

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:2360

\??\c:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe
"c:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" /regserverfp
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2884

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 15C1D4DC8985138E0E817129DDFC5E51 M Global\MSI0000
2⤵
PID:784

\??\c:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe
"c:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe" /shutdown
3⤵
PID:2548

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:1560

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:524

\??\c:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe
"c:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" /regserverfp
2⤵
- Modifies Internet Explorer settings
PID:2968

\??\c:\Windows\system32\MsiExec.exe
c:\Windows\system32\MsiExec.exe -Embedding D0A333DDA8DE81E3DB0EC1DB5C00DFC8 M Global\MSI0000
2⤵
PID:2228

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 5E24DFA88136496BFC974294F8AD26A4 M Global\MSI0000
2⤵
PID:948

\??\c:\Windows\system32\WBEM\mofcomp.exe
"c:\Windows\system32\WBEM\mofcomp.exe" "c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF"
3⤵
- Drops file in System32 directory
PID:1376

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1560E1C6FDDC0C1BF69E6BAEE7F4818 M Global\MSI0000
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:1408

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 715D34FE81DCF54E3C90AA1FDB20D94B M Global\MSI0000
2⤵
PID:2288

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding D70BA4277D0A9229895957C7DDC46796 M Global\MSI0000
2⤵
PID:2860

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:1740

\??\c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:2292

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding DB0BAF3DCF77D0632C2D41B7E1770E2C M Global\MSI0000
2⤵
PID:2976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C2535E3BCC1BB118488543B585F64F40 M Global\MSI0000
2⤵
PID:2312

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI75A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_260076988 9394 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.RemoveRegKeyFromPreviousInstall
3⤵
- Drops file in Windows directory
PID:2072

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5DBA910BA6F13F9D7EAE15A2F251D532
2⤵
PID:1472

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI7FF4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_260079687 9400 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.CopyConfig
3⤵
- Drops file in Windows directory
PID:2336

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery