microsoft-powerpoint.exe

Ronen Kvurt

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application microsoft-powerpoint.exe by Ronen Kvurt has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from profficer.org.
Publisher:
Ronen Kvurt  (signed and verified)

MD5:
50c5b09b5b98d17bf1c9ad590f516679

SHA-1:
6f398b1d63257ed0a0a86639676e6aefad3a2e15

SHA-256:
4a765f3f11cdffbb7f04c58f2fc498fbc3522c3cf541d9e73e185843ab1d7e08

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/6/2024 2:30:44 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WebPick (M)
16.10.20.22

File size:
1.1 MB (1,126,248 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\{4fce85e8-e529-1b7d-4fce-e85e8e5217a3}\microsoft-powerpoint.exe

Digital Signature
Signed by:

Authority:
Unizeto Technologies S.A.

Valid from:
5/14/2014 12:13:06 AM

Valid to:
5/14/2015 12:13:06 AM

Subject:
E=ronenkvurt@yahoo.com, CN=Ronen Kvurt, O=Ronen Kvurt, C=IL

Issuer:
CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
2FCC7E9A4043746064F138856B04DABB

File PE Metadata
Compilation timestamp:
11/20/2012 9:20:34 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:EbrN5bUAj1HGMa2N7JOqqwKzbhLf03AWTsg70w:EbrNGYHASJOvlzlLizJ7

Entry address:
0xB69A9

Entry point:
E8, FE, 13, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 00, C7, 4F, 00, E8, 11, 19, 00, 00, E8, CB, 15, 00, 00, 0F, B7, F0, 6A, 02, E8, 91, 13, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 40, 03, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.4095

Code size:
751 KB (769,024 bytes)

User Start Menu Item
Name:
microsoft-powerpoint.exe


The file microsoft-powerpoint.exe has been seen being distributed by the following URL.

http://profficer.org/hp/?q=G54TNU7SqKmecEG xziW8 ABYAM8NBPZrXgjG2xdGqaya8XVMcXIYZ3AcgL 0dEO/0ME9HdPYZ8sCdNyxVmWtqbEiK9ee8KTAGvmPDJek8q61vfxc1N 4kqB6irZC9eDzuYP8O t3lrGUp2l5gQ1mQNpfGAWk6e8nYnODjn0JRfoi4oDSSv5H 8Q tPoLC8mPxRadWyEwLcbhzU55P7UZrAPT5M R6LNNsf24ZyopllUSHm2Z9aeqjArkBAuW0j9Xl3kRFTynOn2Llvzhx9dD1/lNS0TI8SqviIwUzmbyMi3I2YQ5OzlrBhUrs7wqz7NIuFSZaJa5RGQvTri WeOoxhQNZx0q9zs4ZWk9jvlat4KrNxfnFccxKt26FOBDVTq1sz6gxOsrua6bG/L5ICspMeOG9HF9rjYKlitAlO92tzhxNRT8S6PbqhHouVBi1CbeDtkMJSv1PoEmLwHCr9hKQmvaBxPctI7ITs1o7T2uD6Z9zgHverL6gdVCRc4qT5OrO4T7OvxfNRkveOEAn8S3av3SGo0Kl2AHtFU5KRHngs4BoNJ5ggNvLKS/bZsTlfp/2 2TNhb9yNRO0g/KjDDUuAwnbwFmQU9b4Y1AAS9AAZnFEzsHy6QfVGKegDgeB/kfysS7SuThMkxOQ6XcZkpbployARt/u6JAUydG04oPGKR8tlv7c4Cypx1KQoUIqqbaNNdawT3HaOd9e3yaa1j2iFtlFFVVFpSxYYzOTLPzBmSsQPIEBUzlYb Djon HJh3sXZsT62wp1Kmf9WtUe9nucAivp5r41 xveTOZVkKROR/C0LG2Lpx4KT4fnQaFOVfK7Y/h51bNoBwQZVDLcBksNlJ5qIUG8 Rja2uROPOuXGkhBZvngk12nGAKkJx8ovIV2la0O6Cve Q xfpLIbN4 /wO1ib8viGjik6JkF58XpQqO6APuhfKiXVTpnhE/.../DzSh

Remove microsoft-powerpoint.exe - Powered by Reason Core Security