1952334b617bcfa62aef1bc4f7640674986cb6cd021c29f43e0a85912775b81a

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pivot_v5-2.exe
Size

662KB
MD5

2c60a6deba7dbae94f76d94bd81a8dd7
SHA1

759c0d563cc7051627409715e8081f7e00d940a8
SHA256

1952334b617bcfa62aef1bc4f7640674986cb6cd021c29f43e0a85912775b81a
SHA512

e3165a1fe4af119b621c457e770be313394d7201c755b3be6622871db5da76444b5792eac4c3f24bdae0e62b39ea89cb8322869c0dcb2674485ad6efea05bff1
SSDEEP

12288:TymCz84Lnka4eec2ZZEhl3qgi4Bfig3bBiFPYp:TIz84Lnk5LEhl3qZ7pBYp

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1144	pivotsetup.exe
2300	pivotsetup.tmp

Loads dropped DLL 5 IoCs

pid	Process
1144	pivotsetup.exe
2300	pivotsetup.tmp
2300	pivotsetup.tmp
2300	pivotsetup.tmp
2320	regsvr32.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	pivot_v5-2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Pivot Animator v5\is-PDAJV.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-E9IHK.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-MABNK.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\is-2ML35.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\is-KL70H.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\is-ILEDE.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-HH63I.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-RG8RL.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-OO31V.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-NB4KH.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-1VU90.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-6RKSD.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\avcodec-58.dll	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\swresample-3.dll	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-SDEH8.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-7T1B9.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-21C85.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\is-OP5TB.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-03PJ8.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\avfilter-7.dll	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-P07ME.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-0AL6F.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\is-GRU20.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\is-JU6HD.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-HE3NC.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-KRUG6.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\is-HT89U.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-44CVR.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-OQNAE.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-HCITD.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-758MF.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-0GNF6.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\avformat-58.dll	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\STKPreview.dll	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-9G1UN.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-ANE53.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-GBV6V.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-5M5D1.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-P14PQ.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\is-B1OHT.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-09RFV.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\swscale-5.dll	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\avutil-56.dll	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\is-IA8JI.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-OS2U6.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-3K5OD.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-METST.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-BNAKV.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-05888.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-8BF6Q.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\unins000.dat	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-Q8KOB.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-MBAEI.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\is-GROTB.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\LibAV\avdevice-58.dll	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-JMSKD.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-UMHVH.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-RRIPO.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Figures\Legacy\is-V3BBM.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\languages\is-TF6T5.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\is-B917F.tmp	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\is-Q5PDT.tmp	pivotsetup.tmp
File opened for modification	C:\Program Files (x86)\Pivot Animator v5\pivot.exe	pivotsetup.tmp
File created	C:\Program Files (x86)\Pivot Animator v5\LibAV\is-AUV7A.tmp	pivotsetup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\is-PJCT9.tmp	pivotsetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivotsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pivotsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 53 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\OpenWithProgids	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.stk\OpenWithProgids	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\VersionIndependentProgID = "STKPreview.stkfile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\pivot.exe\SupportedTypes	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ProgID = "STKPreview.stkfile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\shell\open	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe\SupportedTypes\.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\ = "STK Pivot Figure Preview Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.piv\OpenWithProgids	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv\OpenWithProgids	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\shell	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\ = "Pivot Animator File"	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv\shell\open\command	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\shell\open\command\ = "\"C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe\" \"%1\""	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk\DefaultIcon	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell\open	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\AppID = "{534A1E02-D58F-44f0-B58B-36CBED287C7C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\shellex	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ = "C:\\PROGRA~2\\PIVOTA~1\\STKPRE~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\ProgID\ = "STKPreview.stkfile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe\SupportedTypes	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\DefaultIcon\ = "C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe,2"	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell\open\command	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\shell\open\command	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\ = "STK Pivot Figure Preview Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\shellex\{8895B1C6-B41F-4C1C-A562-0D564250836F}\ = "{64644512-C345-469F-B5FB-EB351E20129D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk\shell\open\command	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\Clsid\ = "{64644512-C345-469F-B5FB-EB351E20129D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\DefaultIcon\ = "C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe,1"	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\shellex\{8895B1C6-B41F-4C1C-A562-0D564250836F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv\DefaultIcon	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\OpenWithProgids\PivotFigure.stk	pivotsetup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\DisableLowILProcessIsolation = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv\OpenWithProgids\PivotFile.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell\open\command\ = "\"C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe\" \"%1\""	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe\SupportedTypes\.stk	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\ = "Pivot Animator Figure"	pivotsetup.tmp

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	pivot_v5-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pivot_v5-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	pivot_v5-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	pivot_v5-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	pivot_v5-2.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
1232	pivot_v5-2.exe
2300	pivotsetup.tmp
2300	pivotsetup.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	pivot_v5-2.exe
Token: SeShutdownPrivilege	1232	pivot_v5-2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	pivotsetup.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 1144 wrote to memory of 2300	1144	pivotsetup.exe	32
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33
PID 2300 wrote to memory of 2320	2300	pivotsetup.tmp	33

C:\Users\Admin\AppData\Local\Temp\pivot_v5-2.exe
"C:\Users\Admin\AppData\Local\Temp\pivot_v5-2.exe"
1⤵
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\is-7B7I7.tmp\pivotsetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7B7I7.tmp\pivotsetup.tmp" /SL5="$30210,18433013,58368,C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Pivot Animator v5\STKPreview.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce82b89c326cdf24a9ce117869377018

SHA1
bb16880be41d9c049bb1f76bd272167513ccef1c

SHA256
62539a18b8298ec8d2eb150b08d7c077a7b283029200a01afd9970bea113bf4f

SHA512
0de161ebf3f8b2e1578c698a773b3c71a7daf227fd5014f7528d4d48d9565918d4af97f9f0a07d61451c70a58662814a698d006b24b4d0676a43a38cb8110d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff357af3611f1ccee1b0ff7aa916a6ed

SHA1
4fd7e86462c7cf46a2e71e6bb3f7ac8c7771bdca

SHA256
a8b92ff1d6660622b177ec74e596a1f20d1267576f611fe61dfce32073a4d7c4

SHA512
3e4f381859516505f2c35b9bd574dc77fd7b2c6fc5780e63ccee3877a59dc00c2a11c98f3471b4323ec832f101c06659fdf363db39451a42fe712b922ad6d6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab717A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe

Filesize
17.8MB

MD5
a52c104395773710fab7f6264aced388

SHA1
87bf5c40fbac501bc272cb5343e7ae09b13bfdb1

SHA256
2852267832c4338f9ab2488add87c71be9e9b6fac50f3395915e7b9b6ab5cd11

SHA512
47eb7a1bd1c78961a8ab5a90896df6be0d57e253798033ba6caafaef6826414a08f6f8fe085faee7601d06acc00bec26c8c9e8da0da97168370e69fa27cf829f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71AC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Pivot Animator v5\STKPreview.dll

Filesize
2.5MB

MD5
2c639820b502df57891e7c4ee805f4b7

SHA1
d90ecab78c86152c31f6963096107fbb115f7bae

SHA256
dcdaf630b7a42bb9d6b1693e159175d68569f20f3ab034af4124d3c775436458

SHA512
afd96af844d30256e9fe1983e82317ace56d6741bf3f2647fee6ef6870b610a4b71560aca95a62ed5b54a2e1ab0ef1487a536124328f4ac327a0b86b1c1900a4

Download Submit
\Program Files (x86)\Pivot Animator v5\pivot.exe

Filesize
13.1MB

MD5
ab3c884e603de1d2d9d4bb9edeac8762

SHA1
123e87c326a39d641571c5f5d54e9b1f42926cc3

SHA256
af38da271a7fb34617b094b3832af8f016168d0923dabbfb297633fb22e49036

SHA512
ecf3474372d1af6f4e93fe655b188b03744f07166fe2ae3947650fec8afabd2bb721270d8e3ef97d52cd4071e6a94ca1c1f5ecf304ed0711bb932bfce133982f

Download Submit
\Program Files (x86)\Pivot Animator v5\unins000.exe

Filesize
713KB

MD5
6341d7c8365a68edfa370476a6de9262

SHA1
08ca9e3631bc815b7c3afd4fe461385f4667710d

SHA256
5cc26edaa9445ff84e9d118245f07e4ff740ca72788a7b8d2c32d52d68f36afb

SHA512
51ab8057a974fa227084756311d5fe8d3e9bb6d5ac785d405a3f9914a0066adb5cd753a0e844109ccf711c2b34ccfa001f2ab3b05587848519ec5b74f71861eb

Download Submit
\Users\Admin\AppData\Local\Temp\is-7B7I7.tmp\pivotsetup.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1144-427-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1144-241-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1144-239-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1232-9-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-0-0x000007FEF51E3000-0x000007FEF51E4000-memory.dmp

Filesize
4KB

Download
memory/1232-13-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-16-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-15-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-17-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-18-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-19-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-20-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-21-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-12-0x000007FEF51E3000-0x000007FEF51E4000-memory.dmp

Filesize
4KB

Download
memory/1232-11-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-10-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-14-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-237-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-8-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-7-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-6-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-5-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-428-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-4-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/1232-1-0x0000000000920000-0x00000000009C8000-memory.dmp

Filesize
672KB

Download
memory/1232-3-0x000000001A760000-0x000000001A77A000-memory.dmp

Filesize
104KB

Download
memory/1232-2-0x000007FEF51E0000-0x000007FEF5BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2300-426-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2300-247-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2320-422-0x0000000002290000-0x000000000251C000-memory.dmp

Filesize
2.5MB

Download