File name:

pivot_v5-2.exe

Full analysis: https://app.any.run/tasks/71d30dd1-7458-459c-9408-7173f5a694c0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 31, 2024, 21:28:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
stealer
loader
netreactor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

65CB83AB2E76EECC85224492AB4D8313

SHA1:

8273BC4EA01E5616882F935D1DD4283E6AA24D4A

SHA256:

420CBD75AE73DDA39DFF185091BF478909255FD32C3F1167AE61DDFEF11B2130

SSDEEP:

24576:ohnEbPGRZyzvxuQ49949949IZyzvFUyzvKyB:ohnEbPGRZyzvxuQ49949949IZyzvFUyX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • UnifiedStub-installer.exe (PID: 6996)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)

    • Steals credentials from Web Browsers

      • servicehost.exe (PID: 7888)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 4080)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • pivot_v5-2.exe (PID: 3728)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Adds/modifies Windows certificates

      • pivot_v5-2.exe (PID: 3728)
      • servicehost.exe (PID: 7888)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Executable content was dropped or overwritten

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • installer.exe (PID: 7616)
      • pivotsetup.tmp (PID: 7900)

    • Drops the executable file immediately after the start

      • odw531nn.exe (PID: 2524)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7616)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)
      • pivot_v5-2.exe (PID: 3728)

    • Process drops legitimate windows executable

      • odw531nn.exe (PID: 2524)
      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 2148)
      • servicehost.exe (PID: 7888)
      • rsWSC.exe (PID: 7248)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 6996)
      • updater.exe (PID: 6792)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7940)
      • regsvr32.exe (PID: 3716)
      • regsvr32.exe (PID: 1568)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 7616)
      • regsvr32.exe (PID: 6492)
      • regsvr32.exe (PID: 3716)
      • installer.exe (PID: 7764)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • servicehost.exe (PID: 7888)
      • cmd.exe (PID: 7244)
      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 3716)
      • cmd.exe (PID: 6900)
      • cmd.exe (PID: 1224)
      • regsvr32.exe (PID: 1568)

    • Reads the Windows owner or organization settings

      • pivotsetup.tmp (PID: 7900)

    • Reads security settings of Internet Explorer

      • installer.exe (PID: 7764)
      • pivot_v5-2.exe (PID: 3728)
      • uihost.exe (PID: 6208)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)

    • Hides command output

      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 7244)
      • cmd.exe (PID: 3716)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 6792)
      • servicehost.exe (PID: 7888)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 6996)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 6996)
      • rundll32.exe (PID: 4080)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 6996)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 6996)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 6996)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 6996)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 6996)

  • INFO

    • Reads the computer name

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsSyncSvc.exe (PID: 6268)
      • identity_helper.exe (PID: 7536)
      • rsSyncSvc.exe (PID: 2148)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • pivotsetup.tmp (PID: 7900)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)
      • rsWSC.exe (PID: 7248)

    • Checks supported languages

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsSyncSvc.exe (PID: 6268)
      • identity_helper.exe (PID: 7536)
      • rsSyncSvc.exe (PID: 2148)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7616)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7328)
      • rsWSC.exe (PID: 7248)

    • Disables trace logs

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)

    • Reads the machine GUID from the registry

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • rsWSC.exe (PID: 7248)
      • rsWSC.exe (PID: 7328)

    • Reads Environment values

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • identity_helper.exe (PID: 7536)
      • servicehost.exe (PID: 7888)

    • The process uses the downloaded file

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • runonce.exe (PID: 7892)
      • rsWSC.exe (PID: 7328)

    • Reads the software policy settings

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7764)
      • uihost.exe (PID: 6208)
      • updater.exe (PID: 6792)
      • servicehost.exe (PID: 7888)
      • rsWSC.exe (PID: 7328)

    • Creates files or folders in the user directory

      • pivot_v5-2.exe (PID: 3728)
      • UnifiedStub-installer.exe (PID: 6996)
      • rsWSC.exe (PID: 7328)

    • Application launched itself

      • msedge.exe (PID: 2144)
      • msedge.exe (PID: 6500)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2144)
      • pivot_v5-2.exe (PID: 3728)
      • msedge.exe (PID: 6500)

    • Create files in a temporary directory

      • pivot_v5-2.exe (PID: 3728)
      • odw531nn.exe (PID: 2524)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)
      • UnifiedStub-installer.exe (PID: 6996)

    • Creates files in the program directory

      • UnifiedStub-installer.exe (PID: 6996)
      • installer.exe (PID: 7616)
      • pivotsetup.tmp (PID: 7900)
      • installer.exe (PID: 7764)
      • servicehost.exe (PID: 7888)
      • uihost.exe (PID: 6208)
      • rsWSC.exe (PID: 7328)

    • Checks proxy server information

      • UnifiedStub-installer.exe (PID: 6996)
      • pivot_v5-2.exe (PID: 3728)
      • rsWSC.exe (PID: 7328)

    • Creates a software uninstall entry

      • pivotsetup.tmp (PID: 7900)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 6996)

    • Manual execution by a user

      • msedge.exe (PID: 6500)

    • Process checks computer location settings

      • servicehost.exe (PID: 7888)

    • Reads product name

      • servicehost.exe (PID: 7888)

    • Reads the time zone

      • runonce.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:21 14:18:40+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 613888
InitializedDataSize: 52224
UninitializedDataSize: -
EntryPoint: 0x97bf2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.92.3.8643
ProductVersionNumber: 1.92.3.8643
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Motus Software
CompanyName: -
FileDescription: Pivot Animator
FileVersion: 1.92.3.8643
InternalName: Pivot.exe
LegalCopyright: Copyright Pіvotstіck
LegalTrademarks: -
OriginalFileName: Pivot.exe
ProductName: Pіvotstіck
ProductVersion: 1.92.3.8643
AssemblyVersion: 1.92.3.8643
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
88
Malicious processes
10
Suspicious processes
7

Behavior graph

Click at the process to see the details
start pivot_v5-2.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs odw531nn.exe THREAT unifiedstub-installer.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs pivotsetup.tmp regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe msedge.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs servicehost.exe msedge.exe no specs msedge.exe no specs uihost.exe cmd.exe no specs conhost.exe no specs msedge.exe no specs updater.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs wevtutil.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs rswsc.exe rswsc.exe no specs pivot_v5-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3268 --field-trial-handle=2388,i,10781273971469661061,1778828677822202141,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\WINDOWS\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xmlC:\Windows\System32\wevtutil.exeUnifiedStub-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
1224C:\WINDOWS\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1568regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"C:\Windows\System32\regsvr32.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3412 --field-trial-handle=2388,i,10781273971469661061,1778828677822202141,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x28c,0x294,0x298,0x290,0x2a0,0x7fffcd5f5fd8,0x7fffcd5f5fe4,0x7fffcd5f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://reasonlabs.com/policiesC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exepivot_v5-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2148"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Security Synchronize Service
Version:
1.8.5.0
Modules
Images
c:\program files\reasonlabs\common\rssyncsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2524"C:\Users\admin\AppData\Local\Temp\odw531nn.exe" /silentC:\Users\admin\AppData\Local\Temp\odw531nn.exe
rsStubActivator.exe
User:
admin
Company:
ReasonLabs
Integrity Level:
HIGH
Description:
ReasonLabs-setup-wizard.exe
Version:
6.0.6
Modules
Images
c:\users\admin\appdata\local\temp\odw531nn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
2640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x328,0x32c,0x330,0x320,0x11c,0x7fffcd5f5fd8,0x7fffcd5f5fe4,0x7fffcd5f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
60 833
Read events
60 250
Write events
520
Delete events
63

Modification events

(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3728) pivot_v5-2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pivot_v5-2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
434
Suspicious files
779
Text files
1 066
Unknown types
20

Dropped files

PID
Process
Filename
Type
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF12fecb.TMP
MD5:
SHA256:
3728pivot_v5-2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:6F2AF5D64103C59FD55A2C245F180572
SHA256:939E1DA30F2454FD40B3098B6F6FC78D44A65C1EA54D05D7802563684C38476C
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF12febb.TMPtext
MD5:1567A626174DB3083F52197567389C1D
SHA256:7D3B499479DEDC115B162B88DDC7CD5E106FF2034A22D6FE64AEE447455E27D3
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF12ff09.TMP
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF12febb.TMPtext
MD5:14B091DD8CB3D636D70A696F49E960EA
SHA256:E541B23B9E614A91E599ECFB0150D7BEA56DF139C4AA64736637FD3CA3135D4E
2144msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\94d9e914-fd96-4493-8db8-2d0ce2daf943.tmpbinary
MD5:6C5FA7DCB6D5A0F803A7383B42912F98
SHA256:0F344DC06862315E570D89FD46A5B5B38C813C9196ACE31ED0D153D26DACBA69
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF12ff09.TMP
MD5:
SHA256:
6500msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
368
TCP/UDP connections
210
DNS requests
134
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
pivot_v5-2.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
3728
pivot_v5-2.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
OPTIONS
200
23.48.23.46:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
GET
200
108.138.2.13:443
https://d368v9t61j6dts.cloudfront.net/assets/schema/1.0/schema.xsd
unknown
GET
200
108.138.2.161:443
https://d368v9t61j6dts.cloudfront.net/assets/WebAdvisor/images/943/darkBG/EN.png
unknown
GET
200
94.245.104.56:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
unknown
binary
59 b
GET
200
108.138.2.68:443
https://d368v9t61j6dts.cloudfront.net/assets/RAV_Triple_CB/images/DOTPS-855/darkBG/EN.png
unknown
image
68.8 Kb
GET
200
76.76.21.21:443
https://reasonlabs.com/_next/static/chunks/framework-f44ba79936f400b5.js
unknown
text
127 Kb
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=42&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
12.9 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7072
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3728
pivot_v5-2.exe
108.138.2.13:443
d368v9t61j6dts.cloudfront.net
AMAZON-02
US
whitelisted
3728
pivot_v5-2.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
3728
pivot_v5-2.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
6500
msedge.exe
239.255.255.250:1900
whitelisted
7132
msedge.exe
52.123.243.65:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
d368v9t61j6dts.cloudfront.net
  • 108.138.2.13
  • 108.138.2.68
  • 108.138.2.161
  • 108.138.2.92
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
config.edge.skype.com
  • 52.123.243.65
  • 52.123.243.202
  • 52.123.243.213
whitelisted
reasonlabs.com
  • 76.76.21.21
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Inline HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Misc activity
ET INFO EXE - Served Attached HTTP
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7 ETPRO signatures available at the full report
Process
Message
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp3031316143\installer.exe loading C:\Program Files\McAfee\Temp3031316143\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pivot_v5-2.exe