File name:

Setup_BrightSlide_1.0.7.exe

Full analysis: https://app.any.run/tasks/c9103bfd-5db5-4d0e-ad78-68c9e52658ab
Verdict: Malicious activity
Analysis date: June 19, 2024, 12:46:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
raw-disk-access
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

90849C06198630E83768383B1127A403

SHA1:

42621592EA75245565020EAC04330E6DBD7EB51F

SHA256:

1A7F1B0561A5C25C57C05BF1862C1EBD03EEC6B0735ED28FDE163CDA73F56CA6

SSDEEP:

196608:hSZzjSDh2ongS2vljKdJ/wkdFGfQLu4z4:BDh2qyvFuzdc4L5k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup_BrightSlide_1.0.7.exe (PID: 3400)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)

    • Reads the value of a key from the registry (SCRIPT)

      • POWERPNT.EXE (PID: 4012)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup_BrightSlide_1.0.7.exe (PID: 3400)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • BrightSlide Assets.exe (PID: 2732)

    • Reads the Windows owner or organization settings

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)

    • Checks Windows Trust Settings

      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • BrightSlide Assets.exe (PID: 2732)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)

    • Reads settings of System Certificates

      • BrightSlide Assets.exe (PID: 2732)

    • Reads the Internet Settings

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • POWERPNT.EXE (PID: 4012)

    • Executes as Windows Service

      • VSSVC.exe (PID: 940)

    • Raw disk access

      • VSSVC.exe (PID: 940)

    • Executes WMI query (SCRIPT)

      • POWERPNT.EXE (PID: 4012)

  • INFO

    • Create files in a temporary directory

      • Setup_BrightSlide_1.0.7.exe (PID: 3400)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • msiexec.exe (PID: 2108)

    • Checks supported languages

      • Setup_BrightSlide_1.0.7.exe (PID: 3400)
      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • wmpnscfg.exe (PID: 3428)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 3144)
      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 3920)

    • Reads the computer name

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • wmpnscfg.exe (PID: 3428)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 3144)
      • msiexec.exe (PID: 3920)

    • Reads the machine GUID from the registry

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 3144)
      • msiexec.exe (PID: 3920)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3428)

    • Creates files or folders in the user directory

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2108)

    • Creates a software uninstall entry

      • Setup_BrightSlide_1.0.7.tmp (PID: 3332)
      • msiexec.exe (PID: 2108)

    • Reads Environment values

      • BrightSlide Assets.exe (PID: 2732)

    • Reads the software policy settings

      • BrightSlide Assets.exe (PID: 2732)
      • msiexec.exe (PID: 2948)
      • msiexec.exe (PID: 2108)

    • Application launched itself

      • msiexec.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2948)

    • Reads mouse settings

      • POWERPNT.EXE (PID: 4012)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 131584
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: BrightCarbon
FileDescription: BrightSlide Setup
FileVersion:
LegalCopyright: Copyright (c) 2019-2022 BrightCarbon Ltd. and 2011-2018 YOUpresent Ltd.
OriginalFileName:
ProductName: BrightSlide
ProductVersion: 1.0.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup_brightslide_1.0.7.exe setup_brightslide_1.0.7.tmp wmpnscfg.exe no specs brightslide assets.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs powerpnt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
940C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2108C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2732"C:\Users\admin\AppData\Local\Temp\is-4J18P.tmp\BrightSlide Assets.exe"C:\Users\admin\AppData\Local\Temp\is-4J18P.tmp\BrightSlide Assets.exe
Setup_BrightSlide_1.0.7.tmp
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
BrightSlide Assets Installer
Exit code:
0
Version:
1.0.1
Modules
Images
c:\users\admin\appdata\local\temp\is-4j18p.tmp\brightslide assets.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2948"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\BrightCarbon\BrightSlide Assets 1.0.1\install\BrightSlide Assets.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\is-4J18P.tmp\BrightSlide Assets.exe" SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\is-4J18P.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718800865 " C:\Windows\System32\msiexec.exeBrightSlide Assets.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3144C:\Windows\system32\MsiExec.exe -Embedding 15DFA591B2A3F5D096E9D04232595CAD CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3332"C:\Users\admin\AppData\Local\Temp\is-PV85T.tmp\Setup_BrightSlide_1.0.7.tmp" /SL5="$6015A,12269787,873984,C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe" C:\Users\admin\AppData\Local\Temp\is-PV85T.tmp\Setup_BrightSlide_1.0.7.tmp
Setup_BrightSlide_1.0.7.exe
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pv85t.tmp\setup_brightslide_1.0.7.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3400"C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe" C:\Users\admin\AppData\Local\Temp\Setup_BrightSlide_1.0.7.exe
explorer.exe
User:
admin
Company:
BrightCarbon
Integrity Level:
MEDIUM
Description:
BrightSlide Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\setup_brightslide_1.0.7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3428"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3920C:\Windows\system32\MsiExec.exe -Embedding A01905177D1747272729D933033FC04DC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4012"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" C:\Program Files\Microsoft Office\Office14\POWERPNT.EXESetup_BrightSlide_1.0.7.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
24 802
Read events
24 366
Write events
413
Delete events
23

Modification events

(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
040D0000D8D734B346C2DA01
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
7FEC9109E67BF34C2D4105BE1BCF5C67635BF36A481944CF2947FD1D18224D67
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Temp\is-4J18P.tmp\BrightSlide Assets.exe
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
98BD080C207D5186EDFF9D0870486471A73DDDC1F221F5F613268B7708A338C9
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Install Folder
Value:
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Version
Value:
1.0.7
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BrightSlide\Configuration
Operation:writeName:Build
Value:
09NOV2023 11:17
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\AddIns\BrightSlide
Operation:writeName:AutoLoad
Value:
1
(PID) Process:(3332) Setup_BrightSlide_1.0.7.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\AddIns\BrightSlide
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\BrightSlide.ppam
Executable files
14
Suspicious files
25
Text files
83
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400Setup_BrightSlide_1.0.7.exeC:\Users\admin\AppData\Local\Temp\is-PV85T.tmp\Setup_BrightSlide_1.0.7.tmpexecutable
MD5:D20887D1DC979D16588BD1DBF80E5B33
SHA256:0576A0D61750C2DD195B85F4281D108048B4581A2314626517E8BD8258E70434
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-957GH.tmpdocument
MD5:C7773094D9C3B9174EDEF5AEFA0B420B
SHA256:134F555EB8A6A8EAF1FFE2F1FFCFCB64E7EFDF395D4F5D27DF755E17A95158C6
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-LRNKH.tmpdocument
MD5:9A5D4F819C30B26E19E9D819AD6984C0
SHA256:C92764ED8F5D1196688A6486D89FFA9A68C812081A6380DFE81F6BA3EF6D8251
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-AKKOQ.tmpbinary
MD5:7C2AA873AD45DAFB7489AAB897697E01
SHA256:93C2C200688FC46B12CC33033CBE451064BDB4B8D8D838FA6F7B0492FC1D44AB
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\painter.curbinary
MD5:7C2AA873AD45DAFB7489AAB897697E01
SHA256:93C2C200688FC46B12CC33033CBE451064BDB4B8D8D838FA6F7B0492FC1D44AB
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\unins000.exeexecutable
MD5:2B9696BCCC56757D75CE956D8E0A9405
SHA256:60071042B047F3B9C4F849BFA9FECC4439B5B09B936F150EC17E4A86901F08B5
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-VARGC.tmpexecutable
MD5:2B9696BCCC56757D75CE956D8E0A9405
SHA256:60071042B047F3B9C4F849BFA9FECC4439B5B09B936F150EC17E4A86901F08B5
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\alignToGuidesL.pngimage
MD5:196659E2912FD5E77331B3D8AC1F2125
SHA256:EDACE35A84228FC6AC89E0EFD3AC813F7E0148786E03D770F5759E63605A031A
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-RRATA.tmpimage
MD5:196659E2912FD5E77331B3D8AC1F2125
SHA256:EDACE35A84228FC6AC89E0EFD3AC813F7E0148786E03D770F5759E63605A031A
3332Setup_BrightSlide_1.0.7.tmpC:\Users\admin\AppData\Roaming\Microsoft\AddIns\BrightCarbon\BrightSlide\is-VHEN9.tmpimage
MD5:91E734D1E5BBA909C4901CA4D8D4D7AD
SHA256:9DAE491F1C6651DC230A44F2112DAEDB8DBC17956CC7351A93F90AA5F493F589
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
unknown
1060
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
brightcarbon.com
  • 67.205.165.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup_BrightSlide_1.0.7.exe