12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe
Size

33KB
MD5

126ca0f6aee60724aa934f1a4d83bd5c
SHA1

cacbbb0551798c9c2b936698827206306384101b
SHA256

12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f
SHA512

9be71205825de1a90dc72c753cc8e41b4dbaad178f2d3b0bc9953a1b4eb4678187f2501bd7d6e41c6bdae954f80b4cef27251a160920422efb76e3707c7ee47a
SSDEEP

768:XwiAQUHoJ6hHV5qt0RJGBJxcLoIPCCYR/9m:Xw+ohO0RJnwL

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

OfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeassistupdate.exenotify.exe

pid process

1456 OfficeAssist.0195.80.1013.exe
572 OfficeAssist.0195.80.1013.exe
1252 assistupdate.exe
952 notify.exe

pid	process
1456	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
1252	assistupdate.exe
952	notify.exe

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist64.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32	regsvr32.exe

Loads dropped DLL 26 IoCs

Processes:

12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exeOfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeregsvr32.exeregsvr32.exeregsvr32.exeassistupdate.exenotify.exe

pid	process
1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe
1456	OfficeAssist.0195.80.1013.exe
1456	OfficeAssist.0195.80.1013.exe
1456	OfficeAssist.0195.80.1013.exe
1456	OfficeAssist.0195.80.1013.exe
1456	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
1736	regsvr32.exe
1924	regsvr32.exe
1396	regsvr32.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
1252	assistupdate.exe
572	OfficeAssist.0195.80.1013.exe
1252	assistupdate.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
572	OfficeAssist.0195.80.1013.exe
952	notify.exe
952	notify.exe
1456	OfficeAssist.0195.80.1013.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe

description ioc process

File created C:\Program Files (x86)\Common Files\open.ini 12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\open.ini	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe

Drops file in Windows directory 2 IoCs

Processes:

assistupdate.exenotify.exe

description	ioc	process
File created	C:\Windows\Tasks\PPTAssistantUpdateTask_Admin.job	assistupdate.exe
File created	C:\Windows\Tasks\PPTAssistantNotifyTask_Admin.job	notify.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
C:\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_1
\ProgramData\OfficeAssist.0195.80.1013.exe	nsis_installer_2

Modifies registry class 64 IoCs

Processes:

regsvr32.exeOfficeAssist.0195.80.1013.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID\ = "PPTAssist.Addins.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB09-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C030C-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0311-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0369-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D1-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0341-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C033A-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C038C-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C038C-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1718-0000-0000-C000-000000000046}\ = "ChartFont"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0352-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0387-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1717-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0371-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB05-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C170F-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0314-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0393-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0370-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C037C-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C170F-0000-0000-C000-000000000046}\ = "IMsoChartTitle"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0322-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0365-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0330-0000-0000-C000-000000000046}\ = "BalloonLabel"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0380-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\PPTAssist\\pptassist.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0308-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB05-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1718-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1713-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0330-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C036F-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0390-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C033D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\PPTAssist.Control\ = "PPTAssistControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0357-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0356-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03A7-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D4-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0339-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0358-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1533-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB10-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\PPTAssist.Control\CLSID\ = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031C-0000-0000-C000-000000000046}\ = "Shape"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0337-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0388-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB07-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C1715-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0311-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0321-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03CC-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB02-0000-0000-C000-000000000046}\ = "_CustomXMLSchemaCollection"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D5-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C031C-0000-0000-C000-000000000046}\ProxyStubClsid32	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03C2-0000-0000-C000-000000000046}\ = "RulerLevels2"	OfficeAssist.0195.80.1013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0351-0000-0000-C000-000000000046}\TypeLib\Version = "2.5"	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0369-0000-0000-C000-000000000046}	OfficeAssist.0195.80.1013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CD100-0000-0000-C000-000000000046}\TypeLib	OfficeAssist.0195.80.1013.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

OfficeAssist.0195.80.1013.exeassistupdate.exenotify.exeOfficeAssist.0195.80.1013.exe

pid process

572 OfficeAssist.0195.80.1013.exe
1252 assistupdate.exe
952 notify.exe
1456 OfficeAssist.0195.80.1013.exe
1456 OfficeAssist.0195.80.1013.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OfficeAssist.0195.80.1013.exe

description pid process

Token: SeDebugPrivilege 572 OfficeAssist.0195.80.1013.exe

pid	process
572	OfficeAssist.0195.80.1013.exe
1252	assistupdate.exe
952	notify.exe
1456	OfficeAssist.0195.80.1013.exe
1456	OfficeAssist.0195.80.1013.exe

description	pid	process
Token: SeDebugPrivilege	572	OfficeAssist.0195.80.1013.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exeOfficeAssist.0195.80.1013.exeOfficeAssist.0195.80.1013.exeregsvr32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1660 wrote to memory of 1456	1660	12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 1456 wrote to memory of 572	1456	OfficeAssist.0195.80.1013.exe	OfficeAssist.0195.80.1013.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1736	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 572 wrote to memory of 1924	572	OfficeAssist.0195.80.1013.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1396	1924	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 1252	572	OfficeAssist.0195.80.1013.exe	assistupdate.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe
PID 572 wrote to memory of 952	572	OfficeAssist.0195.80.1013.exe	notify.exe

C:\Users\Admin\AppData\Local\Temp\12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe
"C:\Users\Admin\AppData\Local\Temp\12a40f81e953c0440272a1373a7e1b80b917ea4e87860753aaeda35055b9134f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660

C:\ProgramData\OfficeAssist.0195.80.1013.exe
"C:\ProgramData\OfficeAssist.0195.80.1013.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe
"C:\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll"
5⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1396

C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe
"C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe" -createtask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Users\Admin\AppData\Local\PPTAssist\notify.exe
"C:\Users\Admin\AppData\Local\PPTAssist\notify.exe" /from:ksostart
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeAssist.0195.80.1013.exe

Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
C:\ProgramData\OfficeAssist.0195.80.1013.exe

Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
C:\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe

Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
C:\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe

Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
C:\ProgramData\kingsoft\20221123_112000\oem.ini

Filesize
762B

MD5
f9bcdb444a67e5aaffa2e32d09e85d10

SHA1
5919a691bd375087d64ad29cf2ba6e2e6d8d8b62

SHA256
1923561dec04957575156ab895dbceafc9b197234002fde737d71dbf1632e6f2

SHA512
fd0e26e7357c135a2eca1cf1aef93a9ae0f8bbf3e807bc1138d97c2ec9d18d98386283e07e9f0334059eff3f49046b09286430403e38c80eb11c0b7724892250

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\cfgs\setup.cfg

Filesize
643B

MD5
7deb2d27233b729498ecaf17a5896223

SHA1
54eee1b3f531398ce0e40f58a78d3bb9a67772b1

SHA256
5ca8019b880ed348fcdddca6fa4ddfb40ee590be438bb342d59510af8811ee3c

SHA512
93ae6a1624e9de8f9a1e49d7f096a3ce5af9565ea2276272432b2c1c629c822be15a1239e4748c1f7836457fd8fee072ce3c5e1dbc4f46759834b5408aeb3f56

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist.dll

Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
C:\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe

Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe

Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\OfficeAssist.0195.80.1013.exe

Filesize
3.0MB

MD5
81c7a19ff9623e1e8c7bfa1a117cfc10

SHA1
1e8a361582ca815961e2d026c50db8da110c8cc5

SHA256
2deb899567fb6e855c70d676c6bf96f197e16af70fc2da4b06f1e517d7ae27a2

SHA512
6edd9b86d7f5652bc1afe3a7ccc8645f79c2754475100b682f42089f5b5ff926b1c0a041c83f2ee2a89bc43df7deca6c63cbd124c9116ba6b436676c5766264f

Download Submit
\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe

Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe

Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\ProgramData\kingsoft\20221123_112000\OfficeAssist.0195.80.1013.exe

Filesize
3.1MB

MD5
603fd71b5c8538e53cc46a68dbd34f02

SHA1
0ae8fbd74e8cabfc15e824ac1aba25935f00f375

SHA256
f2d56d90dbe873ef0b67294792f9b26eeee4269d3e013e26710eaffb46c49d7a

SHA512
613c058d4f7a38f0ba23f4529f3a10c6a7c95fe0c0155fe30490091b689e53723d5e49d90b8de15247d723d1cddc715700683ab3b286de592ae88e48191aebb9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\assistupdate.exe

Filesize
1.2MB

MD5
ab3ee176619ae937950f2fa7734aa337

SHA1
1c825f9729090985505cb24b5d59481b141613ad

SHA256
5a3cbaa59c11829f8f6dedb9847522458f9f59f8ec707c043fe473721eeabdcd

SHA512
669a88717ddc1675ff55494a61cfd3485a4ff7b32bdb17a370ec5522fca78b11d94b848f0e410e60e96216d43590e8350e33c06409114a713a8707c42c37ea99

Download Submit
\Users\Admin\AppData\Local\PPTAssist\meihua.exe

Filesize
315KB

MD5
dcac7d1b0fb5c7aaacbe473268970d1b

SHA1
9f05031dd3368b257be9a93f1b5c6507b397377e

SHA256
8524633082fa4a393d9093c5834293bec0a1822a0fc7042732e79bc30be86f03

SHA512
65a1c87140f69625424b9dcd2c5811044e10ffdf18ae10337aaafa7842656fe37c5b79b57b3f44ab2129dfad6104f762735b7566bbb523637fb9e8655449fce2

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\notify.exe

Filesize
1.2MB

MD5
39535a80b3515bc833c38d96fdfd9a94

SHA1
cb4391b05365ec4df13ffba3894382572f8cdd71

SHA256
c177255ffa28afc94d5e53fe0e4776aee9b581bc53d4dc6fb80b3bbcbb47307c

SHA512
53424fdeecf8fdc606162b155077ce2bd913f47b93f71a6dc845e83e13d1d9eade6b72d4228cb547e9e7a12c882a1c34b949723fdd05ff7fe5ce872ba6098af9

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist.dll

Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist.dll

Filesize
639KB

MD5
2754d99d7927550b013213036decc593

SHA1
01959b2949b7538f6a4760b8ff952bbf227ecb0d

SHA256
d34aa7df1092145c85174a6088a236c5955dd61b2a7ce9b3da412e745015a4b9

SHA512
c415af14a6e5cd73df0ca98e70bd3dda73431857eb3102a40c7e973a4956892b9d33d3dfa5cce90c4bc05d2dd72ba2042cd64b397f76dc05218806fd98828ad4

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\Users\Admin\AppData\Local\PPTAssist\pptassist64.dll

Filesize
608KB

MD5
92748e3b118a684c28c760f48bd7edc7

SHA1
44b3dddb6c3273fd7b78fbdf505195306ea68c75

SHA256
9e860c3f984d27c2efa14dbdf322df9fef919a008d36f428c0d9cb1acc96d896

SHA512
f601b6249405856192cbc035e6dc8d5314be86ed666690cbea640ae40b6d695e7d4f273fced25b457355255edbe9c209841a1c2ac53191616dc2b5734f896e24

Download Submit
\Users\Admin\AppData\Local\Temp\nseD9ED.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nseD9ED.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseD9ED.tmp\v6svc.dll

Filesize
152KB

MD5
55f61ea711be0b779e04b7892a22dd8a

SHA1
cdc284ca7033555a750fdd01e059dd1d0b0ce723

SHA256
edc56b07eea86ceac8222504236702a8f63de3bc8260cb49d25e78702b82a71a

SHA512
369e225f8c99f9959d2c4363810cd53831cfa61509f4cf625f134a309f927f92f649330c9db2a583ab97927743a26a75239520dd787cbf6db6d97edbb60eddd9

Download Submit
memory/572-69-0x0000000000000000-mapping.dmp

Download
memory/952-103-0x0000000000000000-mapping.dmp

Download
memory/1252-92-0x0000000000000000-mapping.dmp

Download
memory/1396-85-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/1396-84-0x0000000000000000-mapping.dmp

Download
memory/1456-60-0x0000000000000000-mapping.dmp

Download
memory/1456-111-0x0000000001E20000-0x0000000001E2B000-memory.dmp

Filesize
44KB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-56-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1660-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1660-57-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1660-58-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1660-112-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1736-76-0x0000000000000000-mapping.dmp

Download
memory/1924-80-0x0000000000000000-mapping.dmp

Download