06661b993960db5564e908e925100252af536866ed911d6af581925e118c2520

Processes:

msiexec.exeintegrator.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\projimpt.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe\MitigationOptions = "256"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\visio.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgwiz.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe\MitigationOptions = "256"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\projimpt.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\visio.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winproj.exe\MitigationOptions = "256"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\MitigationOptions = "256"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tlimpt.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\MitigationOptions = "256"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe\MitigationOptions = "256"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	integrator.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe	upx
behavioral1/memory/612-139-0x0000000140000000-0x0000000141F10000-memory.dmp	upx
behavioral1/memory/612-148-0x0000000140000000-0x0000000141F10000-memory.dmp	upx

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

setup.exesetup.exeOfficeClickToRun.exeOfficeC2RClient.exesetup.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	OfficeC2RClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	setup.exe

Loads dropped DLL 64 IoCs

Processes:

setup.exeMsiExec.exeMsiExec.exeOSPPSVC.EXEmsiexec.execonhost.exeMsiExec.exeMsiExec.exeMsiExec.exeose.exe

pid	process
2764	setup.exe
2764	setup.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
968	MsiExec.exe
1200	MsiExec.exe
1200	MsiExec.exe
392	OSPPSVC.EXE
1192
1192
1192
1192
1192
1192
1192
1192
1192
1720	msiexec.exe
1876	conhost.exe
1876	conhost.exe
1200	MsiExec.exe
1200	MsiExec.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1876	conhost.exe
1876	conhost.exe
1876	conhost.exe
968	MsiExec.exe
968	MsiExec.exe
548	MsiExec.exe
1192
1192
1192
1192
548	MsiExec.exe
548	MsiExec.exe
548	MsiExec.exe
548	MsiExec.exe
548	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
1268	ose.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

Processes:

msiexec.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint\desktop.ini	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\1029\DataServices\DESKTOP.INI	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	msiexec.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\desktop.ini	msiexec.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 13 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

integrator.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "Lync Click to Call BHO"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "1"	integrator.exe

Drops file in System32 directory 64 IoCs

Processes:

OfficeClickToRun.exeintegrator.exeDrvInst.exeDrvInst.exeintegrator.exeintegrator.exeintegrator.exemsiexec.exemofcomp.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET476E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SendToOneNoteFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SendToOneNote-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SendToOneNote.gpd	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8D.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-wal	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8F.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsendtoonenote_win7.inf_amd64_neutral_051c91a57330a58b\prnsendtoonenote_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET476F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_neutral_c3bdcb6fc975b614\prnms006.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A79.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SendToOneNote.gpd	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File opened for modification	C:\Windows\SysWOW64\VEN2232.OLB	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SendToOneNote-pipelineconfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\prnSendToOneNote_Win7.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsendtoonenote_win7.inf_amd64_neutral_051c91a57330a58b\prnsendtoonenote_win7.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\prnSendToOneNote.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4782.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A7A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4783.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	msiexec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	OfficeClickToRun.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A7A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SendToOneNoteNames.gpd	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shm	integrator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	integrator.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET476F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4770.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SendToOneNoteNames.gpd	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A79.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET476E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4781.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-wal	integrator.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4770.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c9bb66e-1217-5690-cd5d-4b691d47e85e}\SET4781.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\SET4A8E.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-journal	integrator.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}\prnSendToOneNote_Win7.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4c32f795-2ba1-2386-0873-c36cd0924904}	DrvInst.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\14C5A2A3C41254184B007011E5565E5B.mof	mofcomp.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\Visio Content\1029\BASIC_GANTTCHART_M.VSTX	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\Visio Content\1029\INTANN_M.VSSX	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1029\PowerPivotExcelClientAddIn.rll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\DD01152_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vreg\projectmui.msi.16.cs-cz.vreg.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\ODBC Drivers\salesforce.ini	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\BORDERS\MSART14.BDR	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\J0400001.PNG	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\BL00923_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Licenses16\Access2019R_Trial-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\J0089945.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\PE.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White@3x.png	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\SO02094_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\NA00068_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURS.ICO	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.POC	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\J0198447.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\MEDIA\CHIMES.WAV	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.INF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\NA01354_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\AG00011_.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\FD00382_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\HH01058_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSUPLD.DLL	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01301_.GIF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\Visio Content\1029\SPWC_M.VSSX	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\Fonts\private\COLONNA.TTF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\Visio Content\1029\DBIDEF1X_M.VSSX	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\1029\PUBFTSCM\SCHEME28.CSS	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21413_.GIF	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP	msiexec.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\1029\MSACCESS_K_COL.HXK	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\1029\PUBSPAPR\PDIR35F.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\WB01244_.GIF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\J0215718.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\PUBWIZ\DGWEBSBR.XML	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\Office16\PUBWIZ\ENV98.POC	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\CLIPART\PUB60COR\HH00236_.WMF	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B7FAF540-1582-42EA-B617-C992ADEEE4F8\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

ngen.exemsiexec.exengen.exengen.execonhost.exengen.exengen.exeexpand.exengen.exengen.exengen.exengen.exeOfficeClickToRun.exengen.exemscorsvw.exeDllHost.execonhost.exengen.exeDrvInst.exengen.exeexpand.execonhost.exengen.exengen.exengen.exengen.exengen.exengen.exengen.exengen.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Installer\MSI4671.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	conhost.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSIC96.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\8ZCC3R0G1L\Policy.11.0.Microsoft.Office.Interop.Excel.config	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\assembly\temp\IX6TWXUZ1D\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Installer\MSI32BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D68.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\38RHLEN8\OFFICE.DLL	msiexec.exe
File created	C:\Windows\fonts\GADUGI.TTF	OfficeClickToRun.exe
File opened for modification	C:\Windows\Installer\MSI97F3.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI8219.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B0D.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI86CA.tmp	msiexec.exe
File created	C:\Windows\Installer\712176.ipi	msiexec.exe
File created	C:\Windows\assembly\tmp\B1TG9G5R\H163TBMU	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol72.dat	msiexec.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	DllHost.exe
File created	\??\c:\Windows\Installer\7133bf.msi	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	conhost.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File created	C:\Windows\assembly\tmp\BLH3JG5W\Policy.11.0.Microsoft.Office.Interop.Word.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8380.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\ZV8ZV9S7N0\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol111.dat	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File created	C:\Windows\Installer\7121aa.ipi	msiexec.exe
File created	C:\Windows\assembly\tmp\R6NKEEHZ\SVNWZ4SO	msiexec.exe
File opened for modification	C:\Windows\assembly\pubpol59.dat	msiexec.exe
File created	C:\Windows\assembly\tmp\J4XP1UYQ\Microsoft.VisualStudio.Tools.Applications.Hosting.dll	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	conhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	OfficeClickToRun.exe
File opened for modification	C:\Windows\assembly\pubpol87.dat	msiexec.exe
File created	C:\Windows\assembly\pubpol97.dat	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI9466.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA706.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI57E6.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe	msiexec.exe
File created	C:\Windows\assembly\tmp\S1K46VRH\Policy.14.0.Microsoft.Office.Interop.OneNote.dll	msiexec.exe
File created	C:\Windows\assembly\pubpol74.dat	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\YT00N9XOB2\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\LSRQ3O7QIH\Policy.11.0.Microsoft.Office.Interop.Outlook.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3944 sc.exe
3232 sc.exe
936 sc.exe
2864 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3944	sc.exe
3232	sc.exe
936	sc.exe
2864	sc.exe

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

OfficeClickToRun.exefirefox.exeintegrator.exesetup.exefirefox.exeintegrator.exeintegrator.exesetup.exefirefox.exesetup.exeintegrator.exefirefox.exesetup.exefirefox.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	integrator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2928 schtasks.exe
144 schtasks.exe
3100 schtasks.exe
2476 schtasks.exe
2976 schtasks.exe
2276 schtasks.exe
2132 schtasks.exe
3100 schtasks.exe

pid	process
2928	schtasks.exe
144	schtasks.exe
3100	schtasks.exe
2476	schtasks.exe
2976	schtasks.exe
2276	schtasks.exe
2132	schtasks.exe
3100	schtasks.exe

Enumerates system info in registry 2 TTPs 30 IoCs

Query Registry

System Information Discovery

Processes:

setup.exeOfficeClickToRun.exeintegrator.exeintegrator.exesetup.exeOfficeClickToRun.exeintegrator.exeintegrator.exesetup.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	integrator.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	integrator.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1260 taskkill.exe
4044 taskkill.exe
4008 taskkill.exe

pid	process
1260	taskkill.exe
4044	taskkill.exe
4008	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

msiexec.exeintegrator.exeMSOHTMED.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\OSPPREARM.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\OSPPSVC.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT\VSTOInstaller.exe = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\OSE.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\OSPPSVC.EXE = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	MSOHTMED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL\excel.exe = "0"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\OSPPSVC.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\OSPPSVC.EXE = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\VSTOInstaller.exe = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{03288CB3-3893-46D1-8D58-B2F8BB6FF5BF}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll,103"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\VSTOInstaller.exe = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	MSOHTMED.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\AlternateCLSID = "{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll,103"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\VSTOInstaller.exe = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files\\Microsoft Office\\root\\Office16\\"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\OSPPSVC.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\mspub.exe = "13"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll,103"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\VSTOInstaller.exe = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\VSTOInstaller.exe = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\LICLUA.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\LICLUA.EXE = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	MSOHTMED.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F6A6CA96-B08E-4429-BA30-39232494F292}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\VSTOInstaller.exe = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\VSTOInstaller.exe = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "Lync Click to Call"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\LICLUA.EXE = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files\\Microsoft Office\\root\\Office16\\"	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files\\Microsoft Office\\root\\Office16\\"	integrator.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\OSE.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\OSPPREARM.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\LICLUA.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	integrator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\MenuText = "Lync Click to Call"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\VSTOInstaller.exe = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\OSPPSVC.EXE = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\LICLUA.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\LICLUA.EXE = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

OfficeClickToRun.exeDrvInst.exeintegrator.exeintegrator.exeintegrator.exeintegrator.exemsiexec.exeDrvInst.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\55\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 29 Nov 2022 13:18:32 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	integrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5510846-8129-4530-A78C-0B7107208614}\WpadDecision = "0"	integrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\UIFallbackLanguages = "x-none"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	integrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5510846-8129-4530-A78C-0B7107208614}\WpadDecisionTime = 60099273fd03d901	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\56	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	integrator.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0088000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-78-ca-a5-13-6b\WpadDecisionReason = "1"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	integrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-78-ca-a5-13-6b	integrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	integrator.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5510846-8129-4530-A78C-0B7107208614}	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\54	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A5510846-8129-4530-A78C-0B7107208614}	integrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\51	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.22250&ClientId={B7D8ECD5-D773-4B33-8926-7E5A7995023A}&OSEnvironment=10&MsoAppId=37&AudienceName=DCWin7_CC_Production&AudienceGroup=Production&AppVersion=16.0.12527.22250&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	integrator.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeintegrator.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32\11.0.0.0\Assembly = "Microsoft.Vbe.Interop.Forms, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757359-5146-11D5-A672-00B0D022E945}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaCatalogMML\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55B0E0C9-C75D-4F42-AD20-6939C1D05B70}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{16B5BDED-61AD-4229-B0AF-9AE01E5FCAC4}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53658FB5-BA9B-4699-9B6F-72A8543C0F8F}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.sldm\PowerPoint.SlideMacroEnabled.12\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9EE93855-A897-37D7-A1FA-ED80D0C72A27}\15.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\PrimaryInteropAssemblyName = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3758C9A3-42A6-3679-8793-3FFE50B1AA6B}\14.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\PersistentAddinsRegistered	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.BlankDatabaseTemplate\CurVer	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8119316F-C58D-4B1D-87A2-7C46E38CA966}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4C38321-AEA9-11D5-B90B-0050DACD1F75}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{95DD2E3B-4A92-31FE-B75F-8AD5878D3923}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CE9F948-C178-11D5-B90F-0050DACD1F75}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C932DE62-9BB8-48D1-BD8E-2B4D2F820735}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020926-0000-0000-C000-000000000046}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B2762291-75F1-39D6-9297-6B8F6DD6A271}\14.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{226B115D-80AF-48D4-9F9D-189406BF29DD}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E963-E47C-11CD-8701-00AA003F0F07}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Printto	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8357BB53-95A2-4043-A040-2825FACEF50D}\InprocServer32\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F03A-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{096CD559-0786-11D1-95FA-0080C78EE3BB}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4927EA82-23FB-4F6F-9C8B-4204CEB23D21}\15.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Publisher.Document.14\shell\Edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FBB61240-7BB8-11D1-9FE8-0060978EB34A}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03E0-0000-0000-C000-000000000046}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31411192-A502-11D2-BBCA-00C04F8EC294}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00024452-0000-0000-C000-000000000046}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\ViewProtected\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlsx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{00020827-0000-0000-C000-000000000046}"	integrator.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D5D02E7-1147-4CBD-96BE-8CEB73F1220C}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\DataFormats	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000208FB-0000-0000-C000-000000000046}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefServiceManager.1.0.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{409FCE29-2640-3D59-90C8-8A808092DE16}\15.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B06693E3-385D-4E70-923E-4FAB6D14EE15}\InprocServer32\15.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2F291805-EABF-4F68-801D-A2CC04340F2B}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7F9B36C7-48CC-335E-B058-49658FD8CECE}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3ACFEF20-F5BB-47ff-86C8-43D08B5227DF}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{10EF4AB3-4FAA-46C3-8832-B6247F0CF15C}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{07B06096-5687-4D13-9E32-12B4259C9813}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\InprocServer32\ThreadingModel = "Apartment"	integrator.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0006F050-0000-0000-C000-000000000046}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Outlook.EXE\FriendlyAppName = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-202"	integrator.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\NoOpLock = "1"	integrator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E7B71EC-A786-3DE8-BE95-F16CC8511094}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08F6C81B-3CFD-11D1-98BC-006008197D41}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Access, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B355005D-B196-4C28-A7D2-BEC04C083BDA}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630EB-0000-0000-C000-000000000046}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1BAD901-C899-4286-A389-2DB16DF9B6F3}\ProxyStubClsid	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1757BAF1-1632-11D5-80DD-0050DA1C04B5}\1.0\FLAGS	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoPath.SolutionManifest.3\shell\Design\Command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020884-0000-0000-C000-000000000046}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3B06E94B-E47C-11CD-8701-00AA003F0F07}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Access.LineClass"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8DDB11D5-5F0C-305E-90B3-59A5B077F132}\14.0.0.0	msiexec.exe

Modifies registry key 1 TTPs 25 IoCs

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3788	reg.exe
3240	reg.exe
3636	reg.exe
3436	reg.exe
1948	reg.exe
2772	reg.exe
3876	reg.exe
1688	reg.exe
3292	reg.exe
3580	reg.exe
2252	reg.exe
1148	reg.exe
3508	reg.exe
1696	reg.exe
3060	reg.exe
3488	reg.exe
2520	reg.exe
3892	reg.exe
972	reg.exe
3152	reg.exe
3896	reg.exe
1680	reg.exe
1168	reg.exe
1184	reg.exe
1784	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup.exe

NTFS ADS 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\office-C2R-to-VOL-master.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2000 NOTEPAD.EXE
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

files.datsetup.exesetup.exesetup.exesetup.exe

pid process

2432 files.dat
2896 setup.exe
2760 setup.exe
1756 setup.exe
832 setup.exe

pid	process
2000	NOTEPAD.EXE

pid	process
2432	files.dat
2896	setup.exe
2760	setup.exe
1756	setup.exe
832	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exeMsiExec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exe

pid	process
1720	msiexec.exe
1720	msiexec.exe
1236	powershell.exe
2296	MsiExec.exe
1460	powershell.exe
2552	powershell.exe
2384	powershell.exe
1804	powershell.exe
2544	powershell.exe
2404	powershell.exe
2780	conhost.exe
2264	powershell.exe
2912	powershell.exe
2848	conhost.exe
1580	powershell.exe
1720	msiexec.exe
1720	msiexec.exe
2136	powershell.exe
2440	powershell.exe
2884	powershell.exe
2436	powershell.exe
1700	powershell.exe
2716	powershell.exe
2276	powershell.exe
2404	powershell.exe
1720	msiexec.exe
1720	msiexec.exe
2764	setup.exe
2764	setup.exe
1776	powershell.exe
1084	powershell.exe
1460	powershell.exe
1288	powershell.exe
2480	powershell.exe
1680	powershell.exe
2468	conhost.exe
1692	powershell.exe
1864	powershell.exe
1740	powershell.exe
1088	powershell.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OInstall_x64.exetaskmgr.exe

pid process

612 OInstall_x64.exe
1740 taskmgr.exe

pid	process
612	OInstall_x64.exe
1740	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeAUDIODG.EXEvssvc.exeDrvInst.exesetup.exemsiexec.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: 33	2576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2576	AUDIODG.EXE
Token: 33	2576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2576	AUDIODG.EXE
Token: SeBackupPrivilege	2108	vssvc.exe
Token: SeRestorePrivilege	2108	vssvc.exe
Token: SeAuditPrivilege	2108	vssvc.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeRestorePrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeLoadDriverPrivilege	812	DrvInst.exe
Token: SeShutdownPrivilege	2764	setup.exe
Token: SeIncreaseQuotaPrivilege	2764	setup.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeSecurityPrivilege	1720	msiexec.exe
Token: SeCreateTokenPrivilege	2764	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2764	setup.exe
Token: SeLockMemoryPrivilege	2764	setup.exe
Token: SeIncreaseQuotaPrivilege	2764	setup.exe
Token: SeMachineAccountPrivilege	2764	setup.exe
Token: SeTcbPrivilege	2764	setup.exe
Token: SeSecurityPrivilege	2764	setup.exe
Token: SeTakeOwnershipPrivilege	2764	setup.exe
Token: SeLoadDriverPrivilege	2764	setup.exe
Token: SeSystemProfilePrivilege	2764	setup.exe
Token: SeSystemtimePrivilege	2764	setup.exe
Token: SeProfSingleProcessPrivilege	2764	setup.exe
Token: SeIncBasePriorityPrivilege	2764	setup.exe
Token: SeCreatePagefilePrivilege	2764	setup.exe
Token: SeCreatePermanentPrivilege	2764	setup.exe
Token: SeBackupPrivilege	2764	setup.exe
Token: SeRestorePrivilege	2764	setup.exe
Token: SeShutdownPrivilege	2764	setup.exe
Token: SeDebugPrivilege	2764	setup.exe
Token: SeAuditPrivilege	2764	setup.exe
Token: SeSystemEnvironmentPrivilege	2764	setup.exe
Token: SeChangeNotifyPrivilege	2764	setup.exe
Token: SeRemoteShutdownPrivilege	2764	setup.exe
Token: SeUndockPrivilege	2764	setup.exe
Token: SeSyncAgentPrivilege	2764	setup.exe
Token: SeEnableDelegationPrivilege	2764	setup.exe
Token: SeManageVolumePrivilege	2764	setup.exe
Token: SeImpersonatePrivilege	2764	setup.exe
Token: SeCreateGlobalPrivilege	2764	setup.exe
Token: SeRestorePrivilege	1304	7zG.exe
Token: 35	1304	7zG.exe
Token: SeSecurityPrivilege	1304	7zG.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	1720	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exefirefox.exeOfficeClickToRun.exeOfficeC2RClient.exetaskmgr.exefirefox.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1304	7zG.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
1620	OfficeC2RClient.exe
1636	firefox.exe
1636	firefox.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1436	firefox.exe
1436	firefox.exe
1740	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exefirefox.exeOfficeClickToRun.exetaskmgr.exefirefox.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
1636	firefox.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
3060	OfficeClickToRun.exe
1636	firefox.exe
1636	firefox.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe
1436	firefox.exe
1436	firefox.exe
1740	taskmgr.exe
1436	firefox.exe
1740	taskmgr.exe
1740	taskmgr.exe
1740	taskmgr.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

firefox.exesetup.exesetup.exesetup.exeOInstall_x64.exesetup.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeC2RClient.exeintegrator.exeintegrator.exeintegrator.exefirefox.exeintegrator.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
2896	setup.exe
2760	setup.exe
1756	setup.exe
612	OInstall_x64.exe
832	setup.exe
3060	OfficeClickToRun.exe
1336	OfficeClickToRun.exe
1620	OfficeC2RClient.exe
1620	OfficeC2RClient.exe
2828	integrator.exe
2664	integrator.exe
3792	integrator.exe
2180	firefox.exe
2180	firefox.exe
2180	firefox.exe
3928	integrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 336 wrote to memory of 1552	336	firefox.exe	firefox.exe
PID 1952 wrote to memory of 728	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 728	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 728	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 336	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 1848	1952	firefox.exe	firefox.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\sus.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.0.499593703\1527785992" -parentBuildID 20200403170909 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1260 gpu
2⤵
PID:728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.3.1336764524\1475835781" -childID 1 -isForBrowser -prefsHandle 1760 -prefMapHandle 1712 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1936 tab
2⤵
PID:336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.13.447670187\399562445" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2572 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2688 tab
2⤵
PID:1848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.20.112653706\2052135163" -childID 3 -isForBrowser -prefsHandle 2912 -prefMapHandle 3416 -prefsLen 8669 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3408 tab
2⤵
PID:2336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:1552

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1996

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:956

C:\Windows\system32\systempropertiesadvanced.exe
"C:\Windows\system32\systempropertiesadvanced.exe"
1⤵
PID:1020

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
PID:2724

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\Setup00000acc\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\Setup00000acc\ose00000.exe" -standalone
3⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004AC" "00000000000005B0"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Sets file execution options in registry
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 27C033C15E4E4924B6158131850EE9A8
2⤵
- Loads dropped DLL
PID:968

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 32DFA5DB862E86D776AA5274436317E0 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1200

C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE
"C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE" /unregserver
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:2436

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 53B6131B31D4DE42BAC0DD18C7E13C52 M Global\MSI0000
2⤵
PID:1876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CE0A15037DBB63DFD0F329424DFAD9DB
2⤵
- Loads dropped DLL
PID:548

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5FEDD3D95CC0DC24A781B129FCAD8C33 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\ose.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\ose.exe" -standalone:temp
3⤵
- Loads dropped DLL
PID:1268

C:\Users\Admin\AppData\Local\Temp\ose00001.exe
"C:\Users\Admin\AppData\Local\Temp\ose00001.exe" -standalone
4⤵
- Executes dropped EXE
PID:2584

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46B7302230E1F86F8EE71DA7151C3B91
2⤵
PID:2420

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 519147B2CFD054A48D1CB2F8B2824E9B M Global\MSI0000
2⤵
PID:2356

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F12968AD51B5A0609456732402DA7FC1
2⤵
PID:2996

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC2E179FAED0E06F968154E75C50F7AB M Global\MSI0000
2⤵
PID:3064

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 248D9964A3BC05DFF7097D8562643ACA
2⤵
PID:1640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2A29C1AB5E00FCC61CF138D82C5C27A8 M Global\MSI0000
2⤵
PID:2124

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 07DEDE34D310120FA1D307B09708A4AF
2⤵
PID:2856

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 50854395B072DE73B23A44EE9C588EFC M Global\MSI0000
2⤵
PID:1992

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DAB259ECA26190A7B036C76E85DF2014
2⤵
- Loads dropped DLL
PID:1200

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B712F4AE461E9CA80E470C962807BE83 M Global\MSI0000
2⤵
PID:2456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CEFCFB91BB0FABD406D0949F6609FC9C
2⤵
PID:3004

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26D70033F22785D728028F10393F6CEE M Global\MSI0000
2⤵
PID:524

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E8D5C58A8800F9D9A3F399091344B157
2⤵
PID:2968

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6F421B873424C4C68A27F9043CF9CA06 M Global\MSI0000
2⤵
PID:3048

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1FEDBC46DF79782AEFEA67912309F6E8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CCC4D0E9133E3BA5FDE777547F7A7E75 M Global\MSI0000
2⤵
PID:2748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DF07AA5B07CC2BE2CF0EB3A67F9CA5AC
2⤵
PID:2692

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F7956BD00770C6F5002A808F55A760E3 M Global\MSI0000
2⤵
PID:1260

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CC60887F76877BC8F7E438B7D60A01C9
2⤵
PID:1324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E818205A8284FA850271283D359DA4C2 M Global\MSI0000
2⤵
PID:2976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A812710A9011BA6B82AC45EAA061706F
2⤵
PID:1920

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 324D2D6D95797A0E316FA2EBD2091303 M Global\MSI0000
2⤵
PID:1848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B7AEB28CDC5E5EEA6CA27661665CC92B
2⤵
PID:1468

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8E3FE3683FDD9FD433E6AC64BFAE6DFB M Global\MSI0000
2⤵
PID:2152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9815E27B013E55267D85EDCFCD6D7161
2⤵
PID:2456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 00B478234AEE1201935BEA432836AC15 M Global\MSI0000
2⤵
PID:1724

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BB89688129684D92D33FC24D245D23F0
2⤵
PID:2356

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8EF9F1FD72C1D1A496091E6D22409E44 M Global\MSI0000
2⤵
PID:2824

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D5D1098BD5200A5651B77A896D382D5F
2⤵
PID:2788

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8015EA10C58304E55BCE2B71C89389D9 M Global\MSI0000
2⤵
PID:2152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 389A96F1D86BD511EF75D07E3DA30C05
2⤵
PID:452

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 74EB8A31A4E82B1F5A821C1374332A19 M Global\MSI0000
2⤵
PID:3024

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 17CFA12C9F94376B567BB6BB74B72AF6
2⤵
PID:1304

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 559F6585F1CAAD4DB15B2975AB2AEFDB M Global\MSI0000
2⤵
PID:1736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC15F21DE9CED73911A1F5FBD7532461
2⤵
PID:2124

C:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\bcssync.exe" /shutdown
3⤵
PID:2460

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89DC9566FC7E8900BF84DA9AC1604F3B M Global\MSI0000
2⤵
PID:2496

C:\Windows\syswow64\wevtutil.exe
"wevtutil.exe" um "C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man"
3⤵
PID:268

C:\Windows\System32\wevtutil.exe
"wevtutil.exe" um "C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man" /fromwow64
4⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.BusinessData, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.BusinessApplications.Runtime, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.BusinessApplications.RuntimeUi, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.BusinessApplications.Diagnostics, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.BusinessData, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.BusinessApplications.SyncServices, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.InfoPath.Client.Internal.Host, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.InfoPath.Client.Internal.Host.Interop, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.InfoPath, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "ipdmctrl, Version=11.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.InfoPath.Permission, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Interop.InfoPath.SemiTrust, Version=11.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Interop.InfoPath, Version=14.0.0.0000000, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
3⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
4⤵
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2268

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll"
3⤵
PID:1748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll"
3⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll"
3⤵
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll"
3⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll"
3⤵
PID:892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll"
3⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll"
3⤵
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll"
3⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll"
3⤵
PID:2588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll"
3⤵
- Drops file in Windows directory
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll"
3⤵
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll"
3⤵
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
- Drops file in Windows directory
PID:1212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
- Drops file in Windows directory
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
- Drops file in Windows directory
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll"
3⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll"
3⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll"
3⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll"
3⤵
PID:2668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll"
3⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:3000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll"
3⤵
PID:3060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll"
3⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll"
3⤵
PID:2676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll"
3⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
- Drops file in Windows directory
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll"
3⤵
PID:1936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll"
3⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll"
3⤵
PID:2528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll"
3⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll"
3⤵
PID:1480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll"
3⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll"
3⤵
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll"
3⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll"
3⤵
PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll"
3⤵
- Drops file in Windows directory
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:1300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"
3⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
3⤵
PID:2784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
3⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:2860

C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE" /unregserver
2⤵
- Executes dropped EXE
PID:1664

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 63762637748DEF419B1CA62FB70F60FA M Global\MSI0000
2⤵
PID:2808

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2648

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2532

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:556

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2780

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2816

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:108

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2608

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1732

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2300

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2856

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2732

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1876

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:1920

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:1436

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2480

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3100

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3124

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3148

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3172

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3196

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2660

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3240

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3260

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3280

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3300

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:1324

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3524

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3576

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3676

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3796

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3860

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3892

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3916

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2196

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3516

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2676

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3500

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3456

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:4020

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3868

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:4064

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1696

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1784

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1380

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3996

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2332

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:956

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1944

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1776

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1480

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1080

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:836

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:336

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:964

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:968

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:972

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2516

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2096

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2244

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1680

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:2700

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2624

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3000

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Contract.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3088

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3112

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:4008

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3124

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3148

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3172

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3196

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2660

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3240

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3272

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3280

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3300

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:1324

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3524

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:3576

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3676

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll" /queue:3 /NoDependencies
3⤵
PID:3796

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3860

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3892

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3916

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:2768

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3516

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3956

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:3500

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:3456

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" /queue:3 /NoDependencies
3⤵
PID:4036

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3868

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:4064

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:812

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1696

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1784

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1380

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2884

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2548

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2348

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1644

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2172

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3064

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1708

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2256

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3068

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:968

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:564

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1732

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:2244

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:1680

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1876

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:392

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:1612

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3096

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:3120

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Outlook.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3136

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:3160

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.Office.Tools.Word.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3192

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3204

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.ContainerControl, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3228

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3252

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3260

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
PID:3304

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Microsoft.VisualStudio.Tools.Office.Runtime.Internal, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" /queue:3 /NoDependencies
3⤵
- Drops file in Windows directory
PID:2148

\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
3⤵
PID:3544

\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
3⤵
PID:3552

\??\c:\Windows\system32\MsiExec.exe
c:\Windows\system32\MsiExec.exe -Embedding 665F61F343FD3DBB74953B072C4BE7E6 M Global\MSI0000
2⤵
PID:2588

\??\c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:3768

\??\c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:3796

\??\c:\Windows\system32\MsiExec.exe
c:\Windows\system32\MsiExec.exe -Embedding 58E8BF6E068FDDD5556DC55F958E3C0A M Global\MSI0000
2⤵
- Modifies data under HKEY_USERS
PID:3892

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding 01F0EF610BB5F5CB478485176211B85E M Global\MSI0000
2⤵
PID:1308

\??\c:\Windows\system32\WBEM\mofcomp.exe
"c:\Windows\system32\WBEM\mofcomp.exe" "c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF"
3⤵
- Drops file in System32 directory
PID:1996

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 464009258802F3F9BDE84F29C53DADA9 M Global\MSI0000
2⤵
PID:3508

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 9F457CC433D1F67B7995C21C72EC1880 M Global\MSI0000
2⤵
PID:2488

C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"C:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:1380

\??\c:\Windows\syswow64\MsiExec.exe
c:\Windows\syswow64\MsiExec.exe -Embedding FD896AEC7623597C3E9516F7399E7031 M Global\MSI0000
2⤵
PID:3916

\??\c:\Windows\system32\MsiExec.exe
c:\Windows\system32\MsiExec.exe -Embedding 2C63EA79EDE8236A58E1D3D111A6E1C3 M Global\MSI0000
2⤵
PID:1320

\??\c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
3⤵
PID:2996

\??\c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe
"c:\Windows\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
3⤵
PID:468

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CE4100BF27169C64AD18BE9B881EB0A2 M Global\MSI0000
2⤵
PID:3552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI84AC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8423695 9357 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.RemoveRegKeyFromPreviousInstall
3⤵
PID:3876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5841ED959D39B1BD6678627C58425B02
2⤵
PID:3588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA039.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8429295 9363 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.CopyConfig
3⤵
PID:1936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\" -ad -an -ai#7zMap19324:170:7zEvent14891
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1304

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392

C:\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe
"C:\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\OInstall_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:612

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
2⤵
PID:564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c files.dat -y -pkmsauto
2⤵
PID:2012

C:\Users\Admin\Downloads\AppNee.com.Office.2013-2021.C2R.Install.v7.4.8.Full.x64\files\files.dat
files.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over175850\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over175850
2⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over175850\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
PID:2296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over929821\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over929821
2⤵
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over929821\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over355210\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over355210
2⤵
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over355210\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over546346\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over546346
2⤵
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over546346\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over756042\v32.cab') }"
2⤵
PID:2780

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over756042
2⤵
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over756042\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/b61285dd-d9f7-41f2-9757-8f61cba4e9c8/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over903162\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over903162
2⤵
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over903162\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/834504cc-dc55-4c6d-9e71-e024d0253f6d/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over553939\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over553939
2⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over553939\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5462eee5-1e97-495b-9370-853cd873bb07/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over567290\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over567290
2⤵
- Drops file in Windows directory
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over567290\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5440fd1f-7ecb-4221-8110-145efaa6372f/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over532925\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over532925
2⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over532925\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over426768\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over426768
2⤵
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over426768\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
2⤵
PID:2672

C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\setup.exe
C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:2196

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:2820

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:2236

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:2376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
2⤵
PID:2072

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
3⤵
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:2944

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:2880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
2⤵
PID:2152

C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\setup.exe
C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:2500

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:2020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:1584

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:1960

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
2⤵
PID:1580

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
3⤵
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:1016

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
2⤵
PID:2824

C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\setup.exe
C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:1636

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:2572

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
2⤵
PID:1916

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
3⤵
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
2⤵
PID:784

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be
3⤵
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/f4f024c8-d611-4748-a7e0-02b6e754c0fe/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over708745\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over708745
2⤵
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over708745\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/2e148de9-61c8-4051-b103-4af54baffbb4/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over902361\v32.cab') }"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\system32\expand.exe
"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over902361
2⤵
- Drops file in Windows directory
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over902361\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
2⤵
PID:1568

C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\setup.exe
C:\Users\Admin\DOWNLO~1\APPNEE~1.X64\files\Setup.exe /configure Configure.xml
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
OfficeClickToRun.exe platform=x64 culture=cs-cz productstoadd=O365ProPlusRetail.16_cs-cz_x-none|ProjectProRetail.16_cs-cz_x-none|VisioProRetail.16_cs-cz_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.12527.22253 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove,lync updatesenabled.16=True updatebaseurl.16=http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be acceptalleulas.16=True displaylevel=True bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" /silent
5⤵
PID:3164

C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /permachine /silent /childprocess /cusid:S-1-5-21-999675638-2867687379-27515722-1000
6⤵
PID:1360

C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /peruser /childprocess
6⤵
PID:1324

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe"
7⤵
PID:1248

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe
OLicenseHeartbeat.exe tokenactivate
5⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:3012

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:3084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:1284

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
2⤵
PID:2748

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
3⤵
PID:3248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
2⤵
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc
2⤵
PID:3900

C:\Windows\System32\sc.exe
sc.exe stop sppsvc
3⤵
- Launches sc.exe
PID:936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
2⤵
PID:1516

C:\Windows\System32\net.exe
net.exe stop sppsvc /y
3⤵
PID:676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
4⤵
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc
2⤵
PID:2932

C:\Windows\System32\sc.exe
sc.exe stop osppsvc
3⤵
- Launches sc.exe
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net.exe stop osppsvc /y
2⤵
PID:3060

C:\Windows\System32\net.exe
net.exe stop osppsvc /y
3⤵
PID:3196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop osppsvc /y
4⤵
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM sppsvc.exe
2⤵
PID:1468

C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM sppsvc.exe
3⤵
- Kills process with taskkill
PID:4044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM osppsvc.exe
2⤵
PID:2084

C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM osppsvc.exe
3⤵
- Kills process with taskkill
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.exe
2⤵
PID:3128

C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
2⤵
PID:2284

C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
3⤵
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
2⤵
PID:3448

C:\Windows\System32\schtasks.exe
schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
3⤵
PID:1232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger
2⤵
PID:1736

C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger
3⤵
PID:784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
2⤵
PID:1472

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
3⤵
PID:3864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
2⤵
PID:1236

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
3⤵
PID:3000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
2⤵
PID:972

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
3⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
2⤵
PID:3756

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
3⤵
PID:468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
2⤵
PID:2840

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
3⤵
PID:3616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
2⤵
PID:3484

C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
3⤵
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
2⤵
PID:3620

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
3⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
2⤵
PID:3956

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
3⤵
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
2⤵
PID:452

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
3⤵
PID:3320

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
2⤵
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
2⤵
PID:968

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
3⤵
PID:3016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
2⤵
PID:3936

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
3⤵
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
2⤵
PID:3988

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
3⤵
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
2⤵
PID:3408

C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
3⤵
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /D /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
2⤵
PID:2740

C:\Windows\System32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
- Modifies Windows Firewall
PID:1360

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
2⤵
PID:3924

C:\Program Files\Microsoft Office\root\Office16\MSPUB.EXE
"C:\Program Files\Microsoft Office\root\Office16\MSPUB.EXE"
2⤵
PID:3332

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
2⤵
PID:2932

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE"
2⤵
PID:3156

C:\Program Files\Microsoft Office\Root\Office16\ONENOTEM.EXE
/tsr
3⤵
PID:3340

C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE
"C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE"
2⤵
PID:3168

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
2⤵
PID:1968

C:\Program Files\Microsoft Office\root\Office16\VISIO.EXE
"C:\Program Files\Microsoft Office\root\Office16\VISIO.EXE"
2⤵
PID:3888

C:\Program Files\Microsoft Office\root\Office16\WINPROJ.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINPROJ.EXE"
2⤵
PID:2196

C:\Program Files\Microsoft Office\root\Office16\VISIO.EXE
"C:\Program Files\Microsoft Office\root\Office16\VISIO.EXE"
2⤵
PID:2296

C:\Program Files\Microsoft Office\root\Office16\WINPROJ.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINPROJ.EXE"
2⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1259760091-1879297275-12733375021282170083-615200200117703956314596522541537780420"
1⤵
- Loads dropped DLL
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1225887380-5516479701156123782-114367784719676086871335378533652208030679906293"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6200054081867081044-656337162-6443156041662299344-307503853-592978870-757417833"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1517859016-12942232061621502808-10922072753819847662051574044-532682123392033170"
1⤵
- Drops file in Windows directory
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10710323971167658746-12057947811433402592-17297083671409147526-1884564928-2074683707"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-197498485-606126068-519059227-1988568009-24192970459866801484797716119435953"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1108314659876591525-5418481711773806741961137279-12493336121779044260-1112582445"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8397747052059493098278570918-1998730712029074052-13714938414462685261324809842"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1792269949-1655995893-55506412-679898819-230265977-1241649662-1161400942-29411468"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3603221821336412055-1083272042656085328-998308042849912707-14538364431379025279"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2001715812304073966-1184321845-1582927623603585675-753744034-16681488-921611969"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "122690634212429449051111621539-17855593612093685086-1771018615-838302356-1262066920"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1504099085-1320924608758789562-399570658168095216010858271162004222800-988120057"
1⤵
- Drops file in Windows directory
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "734533339-1457742713876543079-1544695208-2237447029336577072055413302529185407"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-382399477-352041038-508627419637578609-1930415831-650255553-1438417370944231554"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7900851291359339395-74554735178435861119977940781736979525-14068011061194746962"
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1740051284-665851903-379950926385120243-98661345-862083488-282869287-1635625652"
1⤵
- Drops file in Windows directory
PID:3036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.0.708570335\1259927006" -parentBuildID 20200403170909 -prefsHandle 1108 -prefMapHandle 1100 -prefsLen 1 -prefMapSize 220729 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1172 gpu
3⤵
PID:2856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.3.1157591521\163841905" -childID 1 -isForBrowser -prefsHandle 1688 -prefMapHandle 1684 -prefsLen 446 -prefMapSize 220729 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 1692 tab
3⤵
PID:3064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1636.13.1017960308\783387000" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 6602 -prefMapSize 220729 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1636 "\\.\pipe\gecko-crash-server-pipe.1636" 2704 tab
3⤵
PID:336

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Program Files\Microsoft Office\root\integration\integrator.exe
integrator.exe /U /Extension /Msi /License PRIDName= PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Sets file execution options in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"
3⤵
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"
3⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"
3⤵
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"
3⤵
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016"
3⤵
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml"
3⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016"
3⤵
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"
3⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll"
3⤵
PID:2172

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll"
3⤵
PID:3064

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"
3⤵
PID:2488

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\wwlib.dll"
3⤵
PID:2400

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"
3⤵
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office ClickToRun Service Monitor"
2⤵
PID:1792

C:\Program Files\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Msi MsiName=SPPRedist.msi,SPPRedist64.msi PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
2⤵
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office ClickToRun Service Monitor" /XML "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ServiceWatcherSchedule.xml"
2⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
2⤵
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable
2⤵
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Automatic Updates 2.0"
2⤵
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
2⤵
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Automatic Updates 2.0" /XML "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\FrequentOfficeUpdateSchedule.xml"
2⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
2⤵
PID:3272

C:\Program Files\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /License PRIDName=O365ProPlusRetail.16,ProjectProRetail.16,VisioProRetail.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Program Files\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Extension /Sunrise PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Program Files\Microsoft Office\root\Office16\perfboost.exe
perfboost.exe EnsureVE
2⤵
PID:2460

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe"
2⤵
PID:308

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe"
2⤵
PID:2272

C:\Program Files\Microsoft Office\root\integration\integrator.exe
integrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.cs-cz.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"
3⤵
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"
3⤵
- Creates scheduled task(s)
PID:144

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"
3⤵
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"
3⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll"
3⤵
PID:3160

C:\Windows\System32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"
3⤵
PID:3288

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\teams.exe|root\office16\visio.exe|root\office16\winproj.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{FB9843BB-0D8A-4347-A227-C759C3FC9103}@INSTALL"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1436.0.366404065\961478065" -parentBuildID 20200403170909 -prefsHandle 1100 -prefMapHandle 904 -prefsLen 1 -prefMapSize 220788 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1436 "\\.\pipe\gecko-crash-server-pipe.1436" 1196 gpu
3⤵
PID:2120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1436.3.411792879\1546935355" -childID 1 -isForBrowser -prefsHandle 1720 -prefMapHandle 1752 -prefsLen 397 -prefMapSize 220788 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1436 "\\.\pipe\gecko-crash-server-pipe.1436" 1628 tab
3⤵
PID:1380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:1728

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Windows\TEMP\{304a2dc0-15dd-4225-8ec4-3436fa8e6559}\prnms006.inf" "9" "6d118fdab" "00000000000005D0" "Service-0x0-3e7$\Default" "00000000000004D4" "208" "C:\Program Files\Microsoft Office\root\Office16\OneNote"
1⤵
- Drops file in System32 directory
PID:2772

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Windows\TEMP\{3d5b80f0-0ffe-48a9-f6f8-9f5699574729}\prnSendToOneNote_Win7.inf" "9" "68aebaa27" "00000000000004D4" "Service-0x0-3e7$\Default" "00000000000005B8" "208" "C:\Program Files\Microsoft Office\root\Office16\OneNote"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2180.0.1338419809\1566231657" -parentBuildID 20200403170909 -prefsHandle 1080 -prefMapHandle 1072 -prefsLen 1 -prefMapSize 220788 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2180 "\\.\pipe\gecko-crash-server-pipe.2180" 1160 gpu
3⤵
PID:1972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2180.3.1477511895\311439171" -childID 1 -isForBrowser -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 437 -prefMapSize 220788 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2180 "\\.\pipe\gecko-crash-server-pipe.2180" 4984 tab
3⤵
PID:3308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2180.13.1399023769\1394354199" -childID 2 -isForBrowser -prefsHandle 1652 -prefMapHandle 3604 -prefsLen 6593 -prefMapSize 220788 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2180 "\\.\pipe\gecko-crash-server-pipe.2180" 3540 tab
3⤵
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2180.20.1873973319\974600604" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1804 -prefsLen 8506 -prefMapSize 220788 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2180 "\\.\pipe\gecko-crash-server-pipe.2180" 1704 rdd
3⤵
PID:4052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2180.24.697769625\1911398808" -childID 3 -isForBrowser -prefsHandle 2816 -prefMapHandle 3632 -prefsLen 8584 -prefMapSize 220788 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2180 "\\.\pipe\gecko-crash-server-pipe.2180" 4072 tab
3⤵
PID:4020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1090235862-20356404201010668606-737832483221423589-53209113620705077191257465223"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1624067237-2790875642145356933-1439646006706512215158753856020738306901535444434"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1730025932262764018-1629725149-1603317633140620503111792242446441246341869074041"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210956460966324481885930182-214474879814229629411103187216511806529666467589"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1024437080-3268975446740342611040237710-203182818312793734901428951966908834162"
1⤵
PID:836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Drops file in Windows directory
PID:972

\??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2548

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\office-C2R-to-VOL-master\office-C2R-to-VOL-master\Convert-C2R.cmd
1⤵
PID:1776

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\office-C2R-to-VOL-master\office-C2R-to-VOL-master\Convert-C2R.cmd"
1⤵
PID:3496

C:\Windows\System32\fsutil.exe
fsutil dirty query C:
2⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:3292

C:\Windows\System32\sc.exe
sc query ClickToRunSvc
2⤵
- Launches sc.exe
PID:3944

C:\Windows\System32\sc.exe
sc query OfficeSvc
2⤵
- Launches sc.exe
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:3204

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:4028

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul
2⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
2⤵
PID:1008

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul
2⤵
PID:3920

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration
3⤵
- Modifies registry key
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionService get version /value" 2>nul
2⤵
PID:2880

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionService get version /value
3⤵
PID:2016

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' AND not LicenseFamily='Office16MondoR_KMS_Automation') get LicenseFamily
2⤵
PID:3980

C:\Windows\System32\findstr.exe
findstr /i /C:"Office"
2⤵
PID:3752

C:\Windows\System32\findstr.exe
findstr /i /C:"Office"
2⤵
PID:3972

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where (Description like '%TIMEBASED%') get LicenseFamily
2⤵
PID:3176

C:\Windows\System32\findstr.exe
findstr /i /C:"Office"
2⤵
PID:3404

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where (Description like '%Grace%') get LicenseFamily
2⤵
PID:3828

C:\Users\Admin\Downloads\office-C2R-to-VOL-master\office-C2R-to-VOL-master\x64\cleanospp.exe
"C:\Users\Admin\Downloads\office-C2R-to-VOL-master\office-C2R-to-VOL-master\x64\cleanospp.exe" -Licenses
2⤵
PID:3560

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3788

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2724

C:\Windows\System32\findstr.exe
findstr /I /C:"Standard2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2664

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3172

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1472

C:\Windows\System32\findstr.exe
findstr /I /C:"Excel2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3940

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2052

C:\Windows\System32\findstr.exe
findstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1736

C:\Windows\System32\findstr.exe
findstr /I /C:"Access2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3412

C:\Windows\System32\findstr.exe
findstr /I /C:"Professional2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1404

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3668

C:\Windows\System32\findstr.exe
findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3488

C:\Windows\System32\findstr.exe
findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2948

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3636

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3580

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3692

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:4060

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3428

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2408

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3688

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3116

C:\Windows\System32\findstr.exe
findstr /I /C:"WordRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2792

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3796

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct get LicenseFamily
2⤵
PID:2236

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3464

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:4004

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3420

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:452

C:\Windows\System32\findstr.exe
findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3896

C:\Windows\System32\findstr.exe
findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3480

C:\Windows\System32\findstr.exe
findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2520

C:\Windows\System32\findstr.exe
findstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2148

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3632

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3328

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1484

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1464

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2908

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1480

C:\Windows\System32\findstr.exe
findstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3512

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1168

C:\Windows\System32\findstr.exe
findstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1868

C:\Windows\System32\findstr.exe
findstr /I /C:"Word2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:524

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1744

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:912

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3400

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2808

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3396

C:\Windows\System32\findstr.exe
findstr /I /C:"WordVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1540

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2872

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\B7FAF540-1582-42EA-B617-C992ADEEE4F8\ProPlusVolume.16
2⤵
- Modifies registry key
PID:3876

C:\Program Files\Microsoft Office\root\integration\Integrator.exe
"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=O365ProPlusRetail.16 PidKey=DRNV7-VGMM2-B3G9T-4BF84-VMFTK PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
PID:2864

C:\Windows\System32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v O365ProPlusRetail.OSPPReady
2⤵
- Modifies registry key
PID:3240

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\B7FAF540-1582-42EA-B617-C992ADEEE4F8\ProPlusRetail.16
2⤵
- Modifies registry key
PID:3152

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1128

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2140

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3444

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:836

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1476

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3944

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3744

C:\Windows\System32\findstr.exe
findstr /I /C:"Access2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2336

C:\Windows\System32\findstr.exe
findstr /I /C:"Excel2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:4048

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2248

C:\Windows\System32\findstr.exe
findstr /I /C:"Standard2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:1752

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2740

C:\Windows\System32\findstr.exe
findstr /I /C:"Word2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:848

C:\Windows\System32\findstr.exe
findstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2952

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:3920

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\ProductIds.txt"
2⤵
PID:2544

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v O365ProPlusRetail.OSPPReady /t REG_SZ /d 1
2⤵
- Modifies registry key
PID:1688

C:\Program Files\Microsoft Office\root\integration\Integrator.exe
"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=MondoVolume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
PID:3872

C:\Windows\System32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v MondoVolume.OSPPReady
2⤵
- Modifies registry key
PID:3292

C:\Windows\System32\findstr.exe
findstr /I "O365ProPlusRetail"
2⤵
PID:3964

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:3060

C:\Windows\System32\findstr.exe
findstr /I "MondoVolume"
2⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
PID:2948

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:3896

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:3488

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v MondoVolume.OSPPReady /t REG_SZ /d 1
2⤵
- Modifies registry key
PID:2520

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProductReleaseIds /t REG_SZ /d "ProjectProRetail,O365ProPlusRetail,VisioProRetail,MondoVolume"
2⤵
- Modifies registry key
PID:3636

C:\Windows\System32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProjectPro2019Volume.OSPPReady
2⤵
- Modifies registry key
PID:3580

C:\Program Files\Microsoft Office\root\integration\Integrator.exe
"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProjectPro2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
PID:3692

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProjectPro2019Volume.OSPPReady /t REG_SZ /d 1
2⤵
- Modifies registry key
PID:2252

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:1148

C:\Windows\System32\findstr.exe
findstr /I "ProjectPro2019Volume"
2⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
PID:4048

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:1680

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProductReleaseIds /t REG_SZ /d "ProjectProRetail,O365ProPlusRetail,VisioProRetail,MondoVolume,ProjectPro2019Volume"
2⤵
- Modifies registry key
PID:3436

C:\Windows\System32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v VisioPro2019Volume.OSPPReady
2⤵
- Modifies registry key
PID:1168

C:\Program Files\Microsoft Office\root\integration\Integrator.exe
"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=VisioPro2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
PID:4028

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v VisioPro2019Volume.OSPPReady /t REG_SZ /d 1
2⤵
- Modifies registry key
PID:1184

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:1784

C:\Windows\System32\findstr.exe
findstr /I "VisioPro2019Volume"
2⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
PID:652

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:3892

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProductReleaseIds /t REG_SZ /d "ProjectProRetail,O365ProPlusRetail,VisioProRetail,MondoVolume,ProjectPro2019Volume,VisioPro2019Volume"
2⤵
- Modifies registry key
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' AND LicenseFamily like 'Office%' AND PartialProductKey=NULL) get ID /value" 2>nul
2⤵
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' AND LicenseFamily like 'Office%' AND PartialProductKey=NULL) get ID /value
3⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='2ca2bf3f-949e-446a-82c7-e25a15ec78c4' get LicenseFamily /value"
2⤵
PID:3824

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where ID='2ca2bf3f-949e-446a-82c7-e25a15ec78c4' get LicenseFamily /value
3⤵
PID:2624

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionService where version='15.0.169.500' call InstallProductKey ProductKey="B4NPR-3FKK7-T2MBV-FRQ4W-PKD2B"
2⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='5b5cf08f-b81a-431d-b080-3450d8620565' get LicenseFamily /value"
2⤵
PID:3252

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where ID='5b5cf08f-b81a-431d-b080-3450d8620565' get LicenseFamily /value
3⤵
PID:1532

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionService where version='15.0.169.500' call InstallProductKey ProductKey="9BGNQ-K37YR-RQHF2-38RQ3-7VCBB"
2⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where ID='9caabccb-61b1-4b4b-8bec-d10a3c3ac2ce' get LicenseFamily /value"
2⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionProduct where ID='9caabccb-61b1-4b4b-8bec-d10a3c3ac2ce' get LicenseFamily /value
3⤵
PID:3308

C:\Windows\System32\Wbem\WMIC.exe
wmic path OfficeSoftwareProtectionService where version='15.0.169.500' call InstallProductKey ProductKey="HFTND-W9MK4-8B7MJ-B6C4G-XQBR2"
2⤵
PID:1748

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID
1⤵
- Modifies registry key
PID:972

\??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Windows 7 activator.txt
1⤵
PID:3300

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
1⤵
PID:3292

C:\Windows\system32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
1⤵
PID:3680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Windows 7 activator.bat"
1⤵
PID:2924

C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
2⤵
PID:2996

C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /skms kms.digiboy.ir
2⤵
PID:1188

C:\Windows\system32\find.exe
find /i "successfully"
2⤵
PID:3884

C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ato
2⤵
PID:2276

C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /skms kms8.MSGuides.com
2⤵
PID:3176

C:\Windows\system32\find.exe
find /i "successfully"
2⤵
PID:3664

C:\Windows\system32\cscript.exe
cscript //nologo c:\windows\system32\slmgr.vbs /ato
2⤵
PID:2012

\??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery