File name: | VM_0131_05_2018.pptx |
Full analysis: | https://app.any.run/tasks/b9925b66-754e-4038-8b27-6ed121ab4c19 |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 20:43:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CD2EB32A5BEC47E2CFA21F8F77CB531F |
SHA1: | 1562C6C0709D91B76F1C156E8CDC00EEF1C4F043 |
SHA256: | 43C0649A6428EBF5627285CEF451AE3235145E7FFF430368CD806998B59D3AC5 |
SSDEEP: | 3072:vEbWShumh6QYYw+TQSCatsSSKGBhJuaEvrJkAwc6J+NWe:nOuiG5+TFCats7Kah8Ng3e |
.pptx | | | PowerPoint Microsoft Office Open XML Format document (87) |
---|---|---|
.zip | | | Open Packaging Conventions container (10.5) |
.zip | | | ZIP compressed archive (2.4) |
AppVersion: | 16.0014 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
MMClips: | - |
HiddenSlides: | - |
Notes: | - |
Slides: | 1 |
Paragraphs: | 1 |
PresentationFormat: | On-screen Show (4:3) |
Application: | Microsoft Macintosh PowerPoint |
Words: | 7 |
TotalEditTime: | 33 minutes |
ModifyDate: | 2018:06:21 08:42:27Z |
CreateDate: | 2014:07:08 19:45:52Z |
RevisionNumber: | 7 |
LastModifiedBy: | KB4 |
Creator: | KnowBe4 |
---|---|
Title: | YOU MUST OPEN THIS FILE IN POWERPOINT AND ENABLE EDITING TO VIEW THIS PRESENTATION |
ZipFileName: | docProps/thumbnail.jpeg |
---|---|
ZipUncompressedSize: | 14282 |
ZipCompressedSize: | 11742 |
ZipCRC: | 0x27dbb79b |
ZipModifyDate: | 2019:11:29 18:32:01 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\VM_0131_05_2018.pptx" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 |
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems |
Operation: | write | Name: | 6=f |
Value: 363D66003C080000010000000000000000000000 | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2108) POWERPNT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | PPTFiles |
Value: 1333919768 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2108 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVRB2D0.tmp.cvr | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2108 | POWERPNT.EXE | GET | 200 | 54.89.33.68:80 | http://na01.safelinks.protection.outlook.com.url.protected-forms.com/XYWNf0aW9uPWcF0dGFjaGb1lbnQmudcmVjoaXBpZW50kX2dlkPTUzODMwMTgwMSZjiYW1wYWlnbl9ydW5faWQ9MjU5MzcxMQ== | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2108 | POWERPNT.EXE | 54.89.33.68:80 | na01.safelinks.protection.outlook.com.url.protected-forms.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
na01.safelinks.protection.outlook.com.url.protected-forms.com |
| whitelisted |