File name:

PowerPoint.exe

Full analysis: https://app.any.run/tasks/fae74a9b-732b-402e-a9f8-14a2e0c4e186
Verdict: Malicious activity
Analysis date: October 29, 2023, 19:15:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

70108103A53123201CEB2E921FCFE83C

SHA1:

C71799A6A6D09EE758B04CDF90A4AB76FBD2A7E3

SHA256:

9C3F8DF80193C085912C9950C58051AE77C321975784CC069CEACD4F57D5861D

SSDEEP:

1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PowerPoint.exe (PID: 948)

    • Application was dropped or rewritten from another process

      • sys3.exe (PID: 3800)
      • PowerPoint.exe (PID: 948)
      • PowerPoint.exe (PID: 556)

  • SUSPICIOUS

    • Application launched itself

      • PowerPoint.exe (PID: 556)

    • Reads the Internet Settings

      • PowerPoint.exe (PID: 556)

    • Starts itself from another location

      • PowerPoint.exe (PID: 948)

  • INFO

    • Checks supported languages

      • PowerPoint.exe (PID: 556)
      • PowerPoint.exe (PID: 948)
      • sys3.exe (PID: 3800)

    • Reads the computer name

      • PowerPoint.exe (PID: 556)
      • sys3.exe (PID: 3800)

    • Create files in a temporary directory

      • PowerPoint.exe (PID: 948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:05:23 12:56:07+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 3072
InitializedDataSize: 135168
UninitializedDataSize: -
EntryPoint: 0x1671
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start powerpoint.exe no specs powerpoint.exe sys3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\AppData\Local\Temp\PowerPoint.exe" C:\Users\admin\AppData\Local\Temp\PowerPoint.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1073807364
Modules
Images
c:\users\admin\appdata\local\temp\powerpoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
948"C:\Users\admin\AppData\Local\Temp\PowerPoint.exe" C:\Users\admin\AppData\Local\Temp\PowerPoint.exe
PowerPoint.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\powerpoint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\crtdll.dll
c:\windows\system32\advapi32.dll
3800C:\Users\admin\AppData\Local\Temp\\sys3.exeC:\Users\admin\AppData\Local\Temp\sys3.exePowerPoint.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sys3.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\crtdll.dll
Total events
718
Read events
710
Write events
8
Delete events
0

Modification events

(PID) Process:(556) PowerPoint.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(556) PowerPoint.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(556) PowerPoint.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(556) PowerPoint.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
948PowerPoint.exeC:\Users\admin\AppData\Local\Temp\systm.txttext
MD5:2FCE40238CF82A7EEEE91CCEC899E60A
SHA256:775A5746D370D2FA564524227FB2D1E790F82ADF9D30D4A7091F13F4E8282F5D
948PowerPoint.exeC:\Users\admin\AppData\Local\Temp\sys3.exeexecutable
MD5:70108103A53123201CEB2E921FCFE83C
SHA256:9C3F8DF80193C085912C9950C58051AE77C321975784CC069CEACD4F57D5861D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PowerPoint.exe