File name: | Driftsrapport KL - september 2021.pptx |
Full analysis: | https://app.any.run/tasks/01471bc3-b04c-4bc6-afe4-bf81449676a4 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:37:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.openxmlformats-officedocument.presentationml.presentation |
File info: | Microsoft PowerPoint 2007+ |
MD5: | B720DC5AF8BC6D4F82C6FCA44854DADA |
SHA1: | 4B82A881BCBE4B406CF00E48570747AA7B48222A |
SHA256: | BAE884D479B35C3D4B4E8B6CBF7CF5A08A8339C29EDFAD66B8FFEE9B9407BAE6 |
SSDEEP: | 196608:Z1YM7o/LxmXyCz+rh/jujwGn4FHpfXp9yOcAuwSyQ7eO3mam:Z1YcGxRCUZGMBX7wpVPm |
.pptx | | | PowerPoint Microsoft Office Open XML Format document (87) |
---|---|---|
.zip | | | Open Packaging Conventions container (10.5) |
.zip | | | ZIP compressed archive (2.4) |
PBCListName: | Mellombalanse 300921 |
---|---|
ContentTypeId: | 0x010100CB7F4755ACEDBD4DBFFE8B13F8E00C64 |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
MMClips: | - |
HiddenSlides: | 1 |
Notes: | - |
Slides: | 16 |
Paragraphs: | 44 |
PresentationFormat: | Widescreen |
Application: | Microsoft Office PowerPoint |
Words: | 280 |
TotalEditTime: | 2.8 hours |
Template: | SB1 Mal.OLD |
ModifyDate: | 2021:10:21 15:17:19Z |
CreateDate: | 2021:08:04 07:27:40Z |
RevisionNumber: | 2 |
LastModifiedBy: | Ørjan Larsen |
Creator: | Ola Kjetil Siqveland |
---|---|
Title: | Driftsrapport september 2021 |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 14441 |
ZipCompressedSize: | 927 |
ZipCRC: | 0x1c69c232 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3132 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Driftsrapport KL - september 2021.pptx" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVRE71B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52F7CCDC.emf | emf | |
MD5:AD4D9A3B739F43E644966321DE8FC61E | SHA256:1EDBA89A4483938D1141E8211E0B841F81D408710A8BD8EEEDF2C01736511D83 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\593B2.emf | emf | |
MD5:B3DC9D22CA5655D8C00968EACC00E0CC | SHA256:7442B15CEAA282ACBE8DA9A03E86E0546026C2F14F7A3C49FA9DE9B2753CE8E2 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E17AD51.emf | emf | |
MD5:78BC6AAD14308A805DDADB42FE40CAEB | SHA256:479064EB63A893A9B0F98ABF33D89EB3165338F6C1DA305808A1B420F2C5A6E1 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\{6DC75594-E187-4289-A8E6-4B8C579C5708} | binary | |
MD5:2ABDD6C34B236976D029AE1CE182F1E2 | SHA256:DD5D1621EA1401E1519BA5BB14B332154835247A79CEC3A6DCB6B1AD97D61BA1 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:146D41CD6125622138EBAC996AA72EDD | SHA256:E0D600F9C6B9745C7208513B5679676ADD60855CE4EC03B3A65E57E27F08448E | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E32B131E.emf | emf | |
MD5:0C03D4DCAFB8D1B6D2FB33202538AA36 | SHA256:E960206BED4DC07FF8715E073DF7CBDB7A43CCEDA8BBA84256335DE0FBE91B40 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5836C0B.emf | emf | |
MD5:6DC8280B866A8D52A9FD70F775BC5F03 | SHA256:0DC50AEF17D57248E68AF483388004274AEFDC70552CB93F7B5C4508448340FD | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\676EB34A.emf | emf | |
MD5:E475756C48EEA82084361A2DAC543CDF | SHA256:45539093B6C96269EEA5B4E6024B786A36B7F40683253C03FF293342C869B431 | |||
3132 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51CBDE90.emf | emf | |
MD5:F4C990188BE106AC123D9F6C2F46FE5C | SHA256:60E0E65A42D0E10D6289E7A9EB2DAB3B8AEE9164BFA28AF7DE98BB6FDA6C6CFE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3132 | POWERPNT.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
3132 | POWERPNT.EXE | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1cc94ab2054b3f32 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3132 | POWERPNT.EXE | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
3132 | POWERPNT.EXE | 13.107.136.9:443 | sb1bv.sharepoint.com | Microsoft Corporation | US | whitelisted |
3132 | POWERPNT.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
sb1bv.sharepoint.com |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |