File name:

pivot_v5-2.exe

Full analysis: https://app.any.run/tasks/71d30dd1-7458-459c-9408-7173f5a694c0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 21:28:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
stealer
loader
netreactor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

65CB83AB2E76EECC85224492AB4D8313

SHA1:

8273BC4EA01E5616882F935D1DD4283E6AA24D4A

SHA256:

420CBD75AE73DDA39DFF185091BF478909255FD32C3F1167AE61DDFEF11B2130

SSDEEP:

24576:ohnEbPGRZyzvxuQ49949949IZyzvFUyzvKyB:ohnEbPGRZyzvxuQ49949949IZyzvFUyX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 6996)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)

    • Steals credentials from Web Browsers

      • servicehost.exe (PID: 7888)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 4080)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • pivot_v5-2.exe (PID: 3728)
      • installer.exe (PID: 7764)
      • uihost.exe (PID: 6208)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Checks Windows Trust Settings

      • pivot_v5-2.exe (PID: 3728)
      • servicehost.exe (PID: 7888)
      • installer.exe (PID: 7764)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Adds/modifies Windows certificates

      • pivot_v5-2.exe (PID: 3728)
      • servicehost.exe (PID: 7888)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Executable content was dropped or overwritten

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • UnifiedStub-installer.exe (PID: 6996)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7616)
      • installer.exe (PID: 7764)

    • Process drops legitimate windows executable

      • odw531nn.exe (PID: 2524)
      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Drops the executable file immediately after the start

      • UnifiedStub-installer.exe (PID: 6996)
      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7616)
      • installer.exe (PID: 7764)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 2148)
      • servicehost.exe (PID: 7888)
      • rsWSC.exe (PID: 7248)

    • Reads the Windows owner or organization settings

      • pivotsetup.tmp (PID: 7900)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 6996)
      • updater.exe (PID: 6792)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7940)
      • regsvr32.exe (PID: 3716)
      • regsvr32.exe (PID: 1568)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 7616)
      • regsvr32.exe (PID: 1568)
      • regsvr32.exe (PID: 6492)
      • regsvr32.exe (PID: 3716)
      • installer.exe (PID: 7764)
      • uihost.exe (PID: 6208)
      • cmd.exe (PID: 7244)
      • updater.exe (PID: 6792)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 1224)
      • servicehost.exe (PID: 7888)
      • cmd.exe (PID: 6900)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)

    • Hides command output

      • cmd.exe (PID: 7244)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 7716)

    • Starts CMD.EXE for commands execution

      • servicehost.exe (PID: 7888)
      • updater.exe (PID: 6792)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 6996)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 6996)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 6996)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 6996)
      • rundll32.exe (PID: 4080)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 6996)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 6996)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 6996)

  • INFO

    • Checks supported languages

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsSyncSvc.exe (PID: 6268)
      • identity_helper.exe (PID: 7536)
      • pivotsetup.tmp (PID: 7900)
      • rsSyncSvc.exe (PID: 2148)
      • installer.exe (PID: 7616)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)
      • rsWSC.exe (PID: 7248)

    • Disables trace logs

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)

    • Checks proxy server information

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Reads the computer name

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsSyncSvc.exe (PID: 2148)
      • pivotsetup.tmp (PID: 7900)
      • rsSyncSvc.exe (PID: 6268)
      • identity_helper.exe (PID: 7536)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)
      • rsWSC.exe (PID: 7248)

    • Reads the machine GUID from the registry

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)
      • rsWSC.exe (PID: 7248)

    • Reads Environment values

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • identity_helper.exe (PID: 7536)
      • servicehost.exe (PID: 7888)

    • Reads the software policy settings

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)

    • Creates files or folders in the user directory

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Reads Microsoft Office registry keys

      • pivot_v5-2.exe (PID: 3728)
      • msedge.exe (PID: 2144)
      • msedge.exe (PID: 6500)

    • Application launched itself

      • msedge.exe (PID: 2144)
      • msedge.exe (PID: 6500)

    • The process uses the downloaded file

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • runonce.exe (PID: 7892)
      • rsWSC.exe (PID: 7328)

    • Manual execution by a user

      • msedge.exe (PID: 6500)

    • Create files in a temporary directory

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 6996)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7616)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • rsWSC.exe (PID: 7328)

    • Creates a software uninstall entry

      • pivotsetup.tmp (PID: 7900)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 6996)

    • Process checks computer location settings

      • servicehost.exe (PID: 7888)

    • Reads product name

      • servicehost.exe (PID: 7888)

    • Reads the time zone

      • runonce.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:21 14:18:40+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 613888
InitializedDataSize: 52224
UninitializedDataSize: -
EntryPoint: 0x97bf2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.92.3.8643
ProductVersionNumber: 1.92.3.8643
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Motus Software
CompanyName: -
FileDescription: Pivot Animator
FileVersion: 1.92.3.8643
InternalName: Pivot.exe
LegalCopyright: Copyright Pіvotstіck
LegalTrademarks: -
OriginalFileName: Pivot.exe
ProductName: Pіvotstіck
ProductVersion: 1.92.3.8643
AssemblyVersion: 1.92.3.8643
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
88
Malicious processes
10
Suspicious processes
7

Behavior graph

Click at the process to see the details
start pivot_v5-2.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs odw531nn.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs pivotsetup.tmp regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe msedge.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs servicehost.exe msedge.exe no specs msedge.exe no specs uihost.exe cmd.exe no specs conhost.exe no specs msedge.exe no specs updater.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe rswsc.exe no specs pivot_v5-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3268 --field-trial-handle=2388,i,10781273971469661061,1778828677822202141,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\WINDOWS\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xmlC:\Windows\System32\wevtutil.exeUnifiedStub-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
1224C:\WINDOWS\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1568regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"C:\Windows\System32\regsvr32.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3412 --field-trial-handle=2388,i,10781273971469661061,1778828677822202141,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x28c,0x294,0x298,0x290,0x2a0,0x7fffcd5f5fd8,0x7fffcd5f5fe4,0x7fffcd5f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://reasonlabs.com/policiesC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepivot_v5-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2148"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Security Synchronize Service
Version:
1.8.5.0
Modules
Images
c:\program files\reasonlabs\common\rssyncsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2524"C:\Users\admin\AppData\Local\Temp\odw531nn.exe" /silentC:\Users\admin\AppData\Local\Temp\odw531nn.exe
rsStubActivator.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Version:
6.0.6
Modules
Images
c:\users\admin\appdata\local\temp\odw531nn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x328,0x32c,0x330,0x320,0x11c,0x7fffcd5f5fd8,0x7fffcd5f5fe4,0x7fffcd5f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
60 833
Read events
60 250
Write events
520
Delete events
63

Modification events

(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
434
Suspicious files
779
Text files
1 066
Unknown types
20

Dropped files

PID
Process
Filename
Type
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF12fecb.TMP
MD5:
SHA256:
3728pivot_v5-2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:6F2AF5D64103C59FD55A2C245F180572
SHA256:939E1DA30F2454FD40B3098B6F6FC78D44A65C1EA54D05D7802563684C38476C
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3728pivot_v5-2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBder
MD5:43A1D0D850704021F208640A55B59F84
SHA256:A164509D3B71CD6507412F20B960D422A9965E19805483A1F03B997FFB945984
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF12ff09.TMP
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3728pivot_v5-2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBbinary
MD5:35DD3A25C4ADEE785846E62DD5DDEF3B
SHA256:37ADBC858BF9972B1928276BF8A7EBD62D7107559AE2F67DADA5833C13B3DA9D
3728pivot_v5-2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:93D660CB5EDF8360DA73B3CA187E82C2
SHA256:DA41601BD53FF85D7BFE149273F57CAD8B85A31DE4F9C8C48EF00C3C818D07F3
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF12ff09.TMP
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
368
TCP/UDP connections
210
DNS requests
134
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
pivot_v5-2.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEAMvN2M%2FIWBTkO4a1QxfpHk%3D
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
200
108.138.2.13:443
https://d368v9t61j6dts.cloudfront.net/assets/schema/1.0/schema.xsd
unknown
OPTIONS
200
23.48.23.46:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
POST
200
108.138.2.92:443
https://d368v9t61j6dts.cloudfront.net/sec
unknown
xml
78.6 Kb
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=42&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
12.9 Kb
GET
200
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
2.37 Kb
GET
200
94.245.104.56:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
unknown
binary
59 b
GET
200
76.76.21.21:443
https://reasonlabs.com/_next/static/css/6222fb196c350005.css
unknown
text
40.3 Kb
GET
200
76.76.21.21:443
https://reasonlabs.com/policies
unknown
html
49.4 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7072
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3728
pivot_v5-2.exe
108.138.2.13:443
d368v9t61j6dts.cloudfront.net
AMAZON-02
US
whitelisted
3728
pivot_v5-2.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
3728
pivot_v5-2.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
6500
msedge.exe
239.255.255.250:1900
whitelisted
7132
msedge.exe
52.123.243.65:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
d368v9t61j6dts.cloudfront.net
  • 108.138.2.13
  • 108.138.2.68
  • 108.138.2.161
  • 108.138.2.92
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
config.edge.skype.com
  • 52.123.243.65
  • 52.123.243.202
  • 52.123.243.213
whitelisted
reasonlabs.com
  • 76.76.21.21
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Inline HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Misc activity
ET INFO EXE - Served Attached HTTP
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7 ETPRO signatures available at the full report
Process
Message
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pivot_v5-2.exe