File name:

Setup_BrightSlide_1.0.7.exe

Full analysis: https://app.any.run/tasks/bd03b1c9-7f19-405e-8c7b-24c9bc8cf0f2
Verdict: Malicious activity
Analysis date: May 15, 2024, 14:22:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

90849C06198630E83768383B1127A403

SHA1:

42621592EA75245565020EAC04330E6DBD7EB51F

SHA256:

1A7F1B0561A5C25C57C05BF1862C1EBD03EEC6B0735ED28FDE163CDA73F56CA6

SSDEEP:

196608:hSZzjSDh2ongS2vljKdJ/wkdFGfQLu4z4:BDh2qyvFuzdc4L5k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup_BrightSlide_1.0.7.exe (PID: 3972)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)

    • Reads the value of a key from the registry (SCRIPT)

      • POWERPNT.EXE (PID: 2528)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup_BrightSlide_1.0.7.exe (PID: 3972)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • BrightSlide Assets.exe (PID: 4056)

    • Reads the Windows owner or organization settings

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)

    • Reads security settings of Internet Explorer

      • BrightSlide Assets.exe (PID: 4056)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)

    • Checks Windows Trust Settings

      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)

    • Reads settings of System Certificates

      • BrightSlide Assets.exe (PID: 4056)

    • Reads the Internet Settings

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2136)

    • Executes WMI query (SCRIPT)

      • POWERPNT.EXE (PID: 2528)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • POWERPNT.EXE (PID: 2528)

  • INFO

    • Checks supported languages

      • Setup_BrightSlide_1.0.7.exe (PID: 3972)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)
      • msiexec.exe (PID: 112)
      • msiexec.exe (PID: 1596)
      • wmpnscfg.exe (PID: 1976)

    • Reads the computer name

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • msiexec.exe (PID: 1120)
      • msiexec.exe (PID: 112)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1596)
      • wmpnscfg.exe (PID: 1976)

    • Create files in a temporary directory

      • Setup_BrightSlide_1.0.7.exe (PID: 3972)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • msiexec.exe (PID: 1120)

    • Reads the machine GUID from the registry

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • msiexec.exe (PID: 1120)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1596)
      • msiexec.exe (PID: 112)

    • Creates files or folders in the user directory

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)

    • Creates a software uninstall entry

      • Setup_BrightSlide_1.0.7.tmp (PID: 3988)
      • msiexec.exe (PID: 1120)

    • Reads the software policy settings

      • BrightSlide Assets.exe (PID: 4056)
      • msiexec.exe (PID: 1120)
      • msiexec.exe (PID: 1872)

    • Application launched itself

      • msiexec.exe (PID: 1120)

    • Reads Environment values

      • BrightSlide Assets.exe (PID: 4056)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1120)

    • Reads mouse settings

      • POWERPNT.EXE (PID: 2528)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1872)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 131584
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: BrightCarbon
FileDescription: BrightSlide Setup
FileVersion:
LegalCopyright: Copyright (c) 2019-2022 BrightCarbon Ltd. and 2011-2018 YOUpresent Ltd.
OriginalFileName:
ProductName: BrightSlide
ProductVersion: 1.0.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup_brightslide_1.0.7.exe setup_brightslide_1.0.7.tmp brightslide assets.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs powerpnt.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112C:\Windows\system32\MsiExec.exe -Embedding 0EC1DF8E86DB6EA474A751B13376F422 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1120C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1596C:\Windows\system32\MsiExec.exe -Embedding B6FC24C74D189931274827D39F0E6D1CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1872"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\BrightCarbon\BrightSlide Assets 1.0.1\install\BrightSlide Assets.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\is-JTDIA.tmp\BrightSlide Assets.exe" SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\is-JTDIA.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715781885 " C:\Windows\System32\msiexec.exeBrightSlide Assets.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1976"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2136C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2528"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" C:\Program Files\Microsoft Office\Office14\POWERPNT.EXESetup_BrightSlide_1.0.7.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3972"C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe" C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe
explorer.exe
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
BrightSlide Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\setup_brightslide_1.0.7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3988"C:\Users\admin\AppData\Local\Temp\is-EQIP3.tmp\Setup_BrightSlide_1.0.7.tmp" /SL5="$20138,12269787,873984,C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe" C:\Users\admin\AppData\Local\Temp\is-EQIP3.tmp\Setup_BrightSlide_1.0.7.tmp
Setup_BrightSlide_1.0.7.exe
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-eqip3.tmp\setup_brightslide_1.0.7.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4056"C:\Users\admin\AppData\Local\Temp\is-JTDIA.tmp\BrightSlide Assets.exe"C:\Users\admin\AppData\Local\Temp\is-JTDIA.tmp\BrightSlide Assets.exe
Setup_BrightSlide_1.0.7.tmp
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
BrightSlide Assets Installer
Exit code:
0
Version:
1.0.1
Modules
Images
c:\users\admin\appdata\local\temp\is-jtdia.tmp\brightslide assets.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
20 423
Read events
20 040
Write events
360
Delete events
23

Modification events

(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
940F0000ACF15952D3A6DA01
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
416807EA5E8B734642EBEA00927E785E7E02379FC896BFC6E45625AEFBFC3625
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Temp\is-JTDIA.tmp\BrightSlide Assets.exe
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
02B19BDADD14E7E692BE1FCC19DE920C76508CDBC6E28ED1B6A5EAF4E22390DC
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Install Folder
Value:
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Version
Value:
1.0.7
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Build
Value:
09NOV2023 11:17
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\AddIns\BrightSlide
Operation:writeName:AutoLoad
Value:
1
(PID) Process:(3988) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\AddIns\BrightSlide
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\BrightSlide.ppam
Executable files
14
Suspicious files
24
Text files
58
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972Setup_BrightSlide_1.0.7.exeC:\Users\admin\AppData\Local\Temp\is-EQIP3.tmp\Setup_BrightSlide_1.0.7.tmpexecutable
MD5:D20887D1DC979D16588BD1DBF80E5B33
SHA256:0576A0D61750C2DD195B85F4281D108048B4581A2314626517E8BD8258E70434
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-ND5FA.tmpexecutable
MD5:2B9696BCCC56757D75CE956D8E0A9405
SHA256:60071042B047F3B9C4F849BFA9FECC4439B5B09B936F150EC17E4A86901F08B5
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\painter.curbinary
MD5:7C2AA873AD45DAFB7489AAB897697E01
SHA256:93C2C200688FC46B12CC33033CBE451064BDB4B8D8D838FA6F7B0492FC1D44AB
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-01OKI.tmpdocument
MD5:9A5D4F819C30B26E19E9D819AD6984C0
SHA256:C92764ED8F5D1196688A6486D89FFA9A68C812081A6380DFE81F6BA3EF6D8251
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-AFVNF.tmpdocument
MD5:C7773094D9C3B9174EDEF5AEFA0B420B
SHA256:134F555EB8A6A8EAF1FFE2F1FFCFCB64E7EFDF395D4F5D27DF755E17A95158C6
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\BrightSlide.ppamdocument
MD5:C7773094D9C3B9174EDEF5AEFA0B420B
SHA256:134F555EB8A6A8EAF1FFE2F1FFCFCB64E7EFDF395D4F5D27DF755E17A95158C6
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-899B9.tmpbinary
MD5:7C2AA873AD45DAFB7489AAB897697E01
SHA256:93C2C200688FC46B12CC33033CBE451064BDB4B8D8D838FA6F7B0492FC1D44AB
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\BrightSlide Helper.ppamdocument
MD5:9A5D4F819C30B26E19E9D819AD6984C0
SHA256:C92764ED8F5D1196688A6486D89FFA9A68C812081A6380DFE81F6BA3EF6D8251
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\unins000.exeexecutable
MD5:2B9696BCCC56757D75CE956D8E0A9405
SHA256:60071042B047F3B9C4F849BFA9FECC4439B5B09B936F150EC17E4A86901F08B5
3988Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\BrightSlide\MyAnimations.pptxdocument
MD5:A2C2EDDFFE9F7AFFD850FAD93778A60C
SHA256:E2E7A5C919BA28D24E156CADF0AAB796144824DC7503F428FF009FDB9403164A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
brightcarbon.com
  • 67.205.165.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup_BrightSlide_1.0.7.exe