553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014

Analysis

max time kernel
150s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe
Size

33KB
MD5

db606466315cbdca9122a74803a57a46
SHA1

11fdc13802204720964c313dc089c8e12ce6b88a
SHA256

553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014
SHA512

0fbf0a2bf40a502467f8930b1901357adc355970f83a2bb7b3487c2cc0907f8745d9b6deeca7705b839834d1d5f384e477d876cccf3e8cbb45fb47e5ca89314c
SSDEEP

768:6wiAQUHoJ6hHV5qt0RJGBJxcLoIPCCYR/9m:6w+ohO0RJnwL

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

OfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeassistupdate.exenotify.exe

pid process

1948 OfficeAssist.0195.80.1013.exe
1728 OfficeAssist.0195.80.1013.exe
1504 assistupdate.exe
900 notify.exe

pid	process
1948	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1504	assistupdate.exe
900	notify.exe

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 23 IoCs

Processes:

553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exeOfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeregsvr32.exeregsvr32.exeregsvr32.exeassistupdate.exe

pid	process
1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe
1948	OfficeAssist.0195.80.1013.exe
1948	OfficeAssist.0195.80.1013.exe
1948	OfficeAssist.0195.80.1013.exe
1948	OfficeAssist.0195.80.1013.exe
1948	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1664	regsvr32.exe
1616	regsvr32.exe
1848	regsvr32.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1504	assistupdate.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1728	OfficeAssist.0195.80.1013.exe
1504	assistupdate.exe
1728	OfficeAssist.0195.80.1013.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe

description ioc process

File created C:\Program Files (x86)\Common Files\open.ini 553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe
Drops file in Windows directory 1 IoCs

Processes:

assistupdate.exe

description ioc process

File created C:\Windows\Tasks\PPTAssistantUpdateTask_Admin.job assistupdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files (x86)\Common Files\open.ini	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe

description	ioc	process
File created	C:\Windows\Tasks\PPTAssistantUpdateTask_Admin.job	assistupdate.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2

Modifies registry class 64 IoCs

Processes:

regsvr32.exeOfficeAssist.0195.80.1013.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\PPTAssist.Addins\CLSID\ = "{034DF736-A378-4292-ACAE-A561088999F5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0302-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0359-0000-0000-C000-000000000046}\ = "IMsoDispCagNotifySink"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C033A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0330-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55F88890-7708-11D1-ACEB-006008961DA5}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0362-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0313-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0319-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C030C-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0319-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031C-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0330-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0338-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0339-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55F88890-7708-11D1-ACEB-006008961DA5}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0321-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0322-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0351-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C035A-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\PPTAssist.Addins.1\CLSID\ = "{034DF736-A378-4292-ACAE-A561088999F5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0317-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0411-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\PPTAssist.Control\CLSID\ = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C030C-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0332-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C036C-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\PPTAssist.Control\CurVer\ = "PPTAssist.Control.1"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0339-0000-0000-C000-000000000046}\ = "COMAddIns"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0353-0000-0000-C000-000000000046}\ = "LanguageSettings"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0356-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0334-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672AC-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031E-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0331-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID\ = "PPTAssist.Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0308-0000-0000-C000-000000000046}\ = "CommandBarControl"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C030E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0310-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0311-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031A-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0339-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0365-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0368-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\PROGRAMMABLE	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Wow6432Node\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0300-0000-0000-C000-000000000046}\ = "_IMsoDispObj"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C030C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0337-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C036A-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OfficeAssist.0195.80.1013.exeassistupdate.exe

pid process

1728 OfficeAssist.0195.80.1013.exe
1504 assistupdate.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OfficeAssist.0195.80.1013.exe

description pid process

Token: SeDebugPrivilege 1728 OfficeAssist.0195.80.1013.exe

pid	process
1728	OfficeAssist.0195.80.1013.exe
1504	assistupdate.exe

description	pid	process
Token: SeDebugPrivilege	1728	OfficeAssist.0195.80.1013.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exeOfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeregsvr32.exe

description	pid	process	target process
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1992 wrote to memory of 1948	1992	553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1948 wrote to memory of 1728	1948	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1664	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1728 wrote to memory of 1616	1728	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1616 wrote to memory of 1848	1616	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 1504	1728	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe
PID 1728 wrote to memory of 900	1728	OfficeAssist.0195.80.1013.exe	notify.exe

C:\Users\Admin\AppData\Local\Temp\553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe
"C:\Users\Admin\AppData\Local\Temp\553a6176148be6cbfae4a21eca1ba7834e262cde39d3348d18196de8cfca4014.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1992

C:\ProgramData\OfficeAssist.0195.80.1013.exe
"C:\ProgramData\OfficeAssist.0195.80.1013.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
"C:\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1848

C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
"C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe" -createtask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Users\Admin\AppData\Local\PPTAssist\notify.exe
"C:\Users\Admin\AppData\Local\PPTAssist\notify.exe" /from:ksostart
4⤵
- Executes dropped EXE
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeAssist.0195.80.1013.exe
Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
C:\ProgramData\OfficeAssist.0195.80.1013.exe
Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
C:\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
C:\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
C:\ProgramData\kingsoft\20221123_112153\oem.ini
Filesize
762B

MD5
f9bcdb444a67e5aaffa2e32d09e85d10

SHA1
5919a691bd375087d64ad29cf2ba6e2e6d8d8b62

SHA256
1923561dec04957575156ab895dbceafc9b197234002fde737d71dbf1632e6f2

SHA512
fd0e26e7357c135a2eca1cf1aef93a9ae0f8bbf3e807bc1138d97c2ec9d18d98386283e07e9f0334059eff3f49046b09286430403e38c80eb11c0b7724892250

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\cfgs\setup.cfg
Filesize
643B

MD5
7deb2d27233b729498ecaf17a5896223

SHA1
54eee1b3f531398ce0e40f58a78d3bb9a67772b1

SHA256
5ca8019b880ed348fcdddca6fa4ddfb40ee590be438bb342d59510af8811ee3c

SHA512
93ae6a1624e9de8f9a1e49d7f096a3ce5af9565ea2276272432b2c1c629c822be15a1239e4748c1f7836457fd8fee072ce3c5e1dbc4f46759834b5408aeb3f56

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\notify.exe
Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll
Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll
Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe
Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe
Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe
Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\ProgramData\kingsoft\20221123_112153\OfficeAssist.0195.80.1013.exe
Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\meihua.exe
Filesize
315KB

MD5
dcac7d1b0fb5c7aaacbe473268970d1b

SHA1
9f05031dd3368b257be9a93f1b5c6507b397377e

SHA256
8524633082fa4a393d9093c5834293bec0a1822a0fc7042732e79bc30be86f03

SHA512
65a1c87140f69625424b9dcd2c5811044e10ffdf18ae10337aaafa7842656fe37c5b79b57b3f44ab2129dfad6104f762735b7566bbb523637fb9e8655449fce2

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe
Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe
Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe
Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe
Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist.dll
Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist.dll
Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll
Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll
Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\Users\Admin\AppData\Local\Temp\nszC238.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nszC238.tmp\v6svc.dll
Filesize
152KB

MD5
55f61ea711be0b779e04b7892a22dd8a

SHA1
cdc284ca7033555a750fdd01e059dd1d0b0ce723

SHA256
edc56b07eea86ceac8222504236702a8f63de3bc8260cb49d25e78702b82a71a

SHA512
369e225f8c99f9959d2c4363810cd53831cfa61509f4cf625f134a309f927f92f649330c9db2a583ab97927743a26a75239520dd787cbf6db6d97edbb60eddd9

Download Submit
memory/900-104-0x0000000000000000-mapping.dmp

Download
memory/1504-93-0x0000000000000000-mapping.dmp

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1664-77-0x0000000000000000-mapping.dmp

Download
memory/1728-70-0x0000000000000000-mapping.dmp

Download
memory/1848-86-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1848-85-0x0000000000000000-mapping.dmp

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1992-59-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1992-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1992-57-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1992-56-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1992-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download