File name:

pivotAnimator_v4-2.exe

Full analysis: https://app.any.run/tasks/79f6d958-f734-4b5f-8804-82c4be81c563
Verdict: Malicious activity
Analysis date: May 12, 2021, 13:17:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D83C1EF007189DED236D1080A4041E3B

SHA1:

7ED0835B3E09F9F7F823DD44A15B91BEFA41313D

SHA256:

034D7DAF285BD02CBCF85362A1DFC0B20034B09A16F6148CFE9D5A6620F9F3A7

SSDEEP:

6144:IzQoaJ0VKUy5uMZJmxZmmmmmmmm+vfRvXjq47g9FU3aJLU2bdfD94:g7/Y9uJQXVXjVEJJLbl94

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • pivotAnimator_v4-2.exe (PID: 3844)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 3096)

    • Drops executable file immediately after starts

      • pivot_v4-2.exe (PID: 3736)

    • Application was dropped or rewritten from another process

      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 3096)
      • saBSI.exe (PID: 3060)
      • pivot.exe (PID: 1728)
      • pivot_v4-2.exe (PID: 3736)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pivotAnimator_v4-2.exe (PID: 3844)
      • pivot_v4-2.exe (PID: 3736)
      • pivot_v4-2.tmp (PID: 1724)

    • Low-level read access rights to disk partition

      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 3096)

    • Drops a file that was compiled in debug mode

      • pivotAnimator_v4-2.exe (PID: 3844)

    • Adds / modifies Windows certificates

      • pivotAnimator_v4-2.exe (PID: 3844)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 3096)

    • Creates files in the Windows directory

      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 3096)

    • Drops a file with too old compile date

      • pivot_v4-2.exe (PID: 3736)
      • pivot_v4-2.tmp (PID: 1724)

    • Creates a directory in Program Files

      • pivot_v4-2.tmp (PID: 1724)

    • Changes default file association

      • pivot_v4-2.tmp (PID: 1724)

  • INFO

    • Reads settings of System Certificates

      • pivotAnimator_v4-2.exe (PID: 3844)

    • Creates files in the program directory

      • pivot_v4-2.tmp (PID: 1724)

    • Application was dropped or rewritten from another process

      • pivot_v4-2.tmp (PID: 1724)

    • Creates a software uninstall entry

      • pivot_v4-2.tmp (PID: 1724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

AssemblyVersion: 1.89.4.7796
ProductVersion: 1.89.4.7796
ProductName: Pivotstick Installer
OriginalFileName: pivotstick.exe
LegalTrademarks: -
LegalCopyright: Copyright dotSetup.io Open Source Project
InternalName: pivotstick.exe
FileVersion: 1.89.4.7796
FileDescription: Pivotstick Installer
CompanyName: -
Comments: Pivotstick Installer
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.89.4.7796
FileVersionNumber: 1.89.4.7796
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x73b4a
UninitializedDataSize: -
InitializedDataSize: 56320
CodeSize: 465920
LinkerVersion: 8
PEType: PE32
TimeStamp: 2021:05:09 11:10:47+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-May-2021 09:10:47
Comments: Pivotstick Installer
CompanyName: -
FileDescription: Pivotstick Installer
FileVersion: 1.89.4.7796
InternalName: pivotstick.exe
LegalCopyright: Copyright dotSetup.io Open Source Project
LegalTrademarks: -
OriginalFilename: pivotstick.exe
ProductName: Pivotstick Installer
ProductVersion: 1.89.4.7796
Assembly Version: 1.89.4.7796

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 09-May-2021 09:10:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00071B60
0x00071C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44414
.rsrc
0x00074000
0x0000D96C
0x0000DA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.90068
.reloc
0x00082000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.99436
3132
UNKNOWN
UNKNOWN
RT_MANIFEST
2
4.29753
2440
UNKNOWN
UNKNOWN
RT_ICON
3
4.14977
4264
UNKNOWN
UNKNOWN
RT_ICON
4
3.87985
9640
UNKNOWN
UNKNOWN
RT_ICON
5
3.16489
33520
UNKNOWN
UNKNOWN
RT_ICON
32512
2.79808
76
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start pivotanimator_v4-2.exe sabsi.exe cookie_mmm_irs_ppi_005_888_d.exe pivot_v4-2.exe pivot_v4-2.tmp pivot.exe no specs pivotanimator_v4-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1724"C:\Users\admin\AppData\Local\Temp\is-UD3QN.tmp\pivot_v4-2.tmp" /SL5="$201E8,860197,58368,C:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\pivot_v4-2.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-UD3QN.tmp\pivot_v4-2.tmp
pivot_v4-2.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ud3qn.tmp\pivot_v4-2.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1728"C:\Program Files\Pivot Animator\pivot.exe" C:\Program Files\Pivot Animator\pivot.exepivotAnimator_v4-2.exe
User:
admin
Company:
Motus Software Ltd
Integrity Level:
HIGH
Description:
Pivot Animator Executable
Exit code:
0
Version:
4.2.8.0
Modules
Images
c:\program files\pivot animator\pivot.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2536"C:\Users\admin\AppData\Local\Temp\pivotAnimator_v4-2.exe" C:\Users\admin\AppData\Local\Temp\pivotAnimator_v4-2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Pivotstick Installer
Exit code:
3221226540
Version:
1.89.4.7796
Modules
Images
c:\systemroot\system32\ntdll.dll
3060"C:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\saBSI.exe" /affid 91082 PaidDistribution=trueC:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\saBSI.exe
svchost.exe
User:
admin
Company:
McAfee, Inc.
Integrity Level:
HIGH
Description:
McAfee WebAdvisor
Exit code:
0
Version:
4,1,0,48
Modules
Images
c:\users\admin\appdata\local\temp\pivot_animator_files\sabsi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3096"C:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\cookie_mmm_irs_ppi_005_888_d.exe" /psh:bEsXBLaiPNRSbCcMpxmAxo2loQn5fCKPVGpcIyewEEj3U0pfLxXFF2S6V5poHtH7UvGOtpFqWiX9pwJdsXPn2Q /silent /wsC:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\cookie_mmm_irs_ppi_005_888_d.exe
svchost.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast MicroInstaller Installer
Exit code:
0
Version:
2.1.45.0
Modules
Images
c:\users\admin\appdata\local\temp\pivot_animator_files\cookie_mmm_irs_ppi_005_888_d.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3736"C:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\pivot_v4-2.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\Pivot_Animator_files\pivot_v4-2.exe
svchost.exe
User:
admin
Company:
Motus Software Ltd
Integrity Level:
HIGH
Description:
Pivot Animator Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\pivot_animator_files\pivot_v4-2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3844"C:\Users\admin\AppData\Local\Temp\pivotAnimator_v4-2.exe" C:\Users\admin\AppData\Local\Temp\pivotAnimator_v4-2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Pivotstick Installer
Exit code:
0
Version:
1.89.4.7796
Modules
Images
c:\users\admin\appdata\local\temp\pivotanimator_v4-2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
819
Read events
708
Write events
105
Delete events
6

Modification events

(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names
Operation:writeName:4yDkXcLoQDWxmlJhxiHGpEGzWCcju68e0NulPLwBvWrEPUuYtAtb4rbQGNymGo5VpeFkhu44JTTAyXVeVROm6kyqCJ2b3r9KLWbNzo7PdqEWdHlM5Sqto6
Value:
3844
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3844) pivotAnimator_v4-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivotAnimator_v4-2_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
5
Suspicious files
50
Text files
46
Unknown types
22

Dropped files

PID
Process
Filename
Type
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\is-JOC71.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\is-14G1Q.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\is-S2BAU.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-Q948R.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-BQRFM.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-7RS82.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-G97H7.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-ICDB9.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-IILAP.tmp
MD5:
SHA256:
1724pivot_v4-2.tmpC:\Program Files\Pivot Animator\languages\is-S6RQJ.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3096
cookie_mmm_irs_ppi_005_888_d.exe
GET
92.122.244.17:80
http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
FR
whitelisted
3096
cookie_mmm_irs_ppi_005_888_d.exe
POST
204
5.62.40.214:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
DE
whitelisted
3096
cookie_mmm_irs_ppi_005_888_d.exe
POST
200
142.250.185.238:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
pivotAnimator_v4-2.exe
13.225.84.221:443
d11yiezpmoyd9g.cloudfront.net
US
malicious
13.225.84.221:443
d11yiezpmoyd9g.cloudfront.net
US
malicious
3096
cookie_mmm_irs_ppi_005_888_d.exe
5.62.40.214:80
v7event.stats.avast.com
AVAST Software s.r.o.
DE
unknown
3096
cookie_mmm_irs_ppi_005_888_d.exe
142.250.185.238:80
www.google-analytics.com
Google Inc.
US
whitelisted
3096
cookie_mmm_irs_ppi_005_888_d.exe
92.122.244.17:443
iavs9x.u.avast.com
GTT Communications Inc.
FR
suspicious
92.122.244.17:443
iavs9x.u.avast.com
GTT Communications Inc.
FR
suspicious
3060
saBSI.exe
104.95.252.226:443
sadownload.mcafee.com
Akamai Technologies, Inc.
US
unknown
3096
cookie_mmm_irs_ppi_005_888_d.exe
92.122.244.17:80
iavs9x.u.avast.com
GTT Communications Inc.
FR
suspicious
3060
saBSI.exe
104.208.16.0:443
cu1pehnswad01.servicebus.windows.net
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
d11yiezpmoyd9g.cloudfront.net
  • 13.225.84.221
  • 13.225.84.226
  • 13.225.84.86
  • 13.225.84.143
whitelisted
iavs9x.u.avast.com
  • 92.122.244.17
  • 92.122.244.18
whitelisted
www.google-analytics.com
  • 142.250.185.238
whitelisted
v7event.stats.avast.com
  • 5.62.40.214
  • 5.62.40.213
whitelisted
cu1pehnswad01.servicebus.windows.net
  • 104.208.16.0
whitelisted
sadownload.mcafee.com
  • 104.95.252.226
whitelisted

Threats

PID
Process
Class
Message
3096
cookie_mmm_irs_ppi_005_888_d.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pivotAnimator_v4-2.exe