File name:

plutonium.exe

Full analysis: https://app.any.run/tasks/f49d72f3-b7a2-4eaf-80c6-ecbafedc4e34
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 19:00:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

72CB7C6D98E9E47274733825C9176679

SHA1:

8681469349254C5203A7F9A189833D22A14F5CD9

SHA256:

85D1D1CA4D5881D9B98928C2006FB0EEC9655E2705FE74088E6F974A19703F0F

SSDEEP:

98304:zUaMwIBAoUcmmxVA5/xDnLx0yu+5TeRXExXYAxZ:Ia+AobhATd0yH0RXUo2Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • plutonium.exe (PID: 6380)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • plutonium.exe (PID: 6380)

    • Reads security settings of Internet Explorer

      • plutonium.exe (PID: 6380)

  • INFO

    • Checks supported languages

      • plutonium.exe (PID: 6380)

    • Creates files in the program directory

      • plutonium.exe (PID: 6380)

    • Reads the computer name

      • plutonium.exe (PID: 6380)

    • Reads Environment values

      • plutonium.exe (PID: 6380)

    • Reads the machine GUID from the registry

      • plutonium.exe (PID: 6380)

    • Reads the software policy settings

      • plutonium.exe (PID: 6380)

    • Disables trace logs

      • plutonium.exe (PID: 6380)

    • Checks proxy server information

      • plutonium.exe (PID: 6380)

    • Creates files or folders in the user directory

      • plutonium.exe (PID: 6380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2097:01:09 15:42:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 4820480
InitializedDataSize: 34816
UninitializedDataSize: -
EntryPoint: 0x49adde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.221.0
ProductVersionNumber: 1.0.221.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Plutonium.Updater.App
FileDescription: Plutonium.Updater.App
FileVersion: 1.0.221.0
InternalName: Plutonium.Updater.App.exe
LegalCopyright:
OriginalFileName: Plutonium.Updater.App.exe
ProductName: Plutonium.Updater.App
ProductVersion: 1.0.221-25b01eea
AssemblyVersion: 1.0.221.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start plutonium.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6380"C:\Users\admin\Desktop\plutonium.exe" C:\Users\admin\Desktop\plutonium.exe
explorer.exe
User:
admin
Company:
Plutonium.Updater.App
Integrity Level:
MEDIUM
Description:
Plutonium.Updater.App
Version:
1.0.221.0
Modules
Images
c:\users\admin\desktop\plutonium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 835
Read events
4 821
Write events
14
Delete events
0

Modification events

(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
17
Suspicious files
21
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\AppCore.dllexecutable
MD5:80C3806A12959987AC012E28F63AD150
SHA256:B5338B858E5C65F9C36BBC817673BA5E1A05EED8F4DCF007B6BC4FF6140FC8F8
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\discord_game_sdk.dllexecutable
MD5:955AF9BE4A97316D73AFAE1E7365E97E
SHA256:D8E7D9FEB3DE8482B186AE44FD1C9ABB41FE2B3B3D2C7CD3A4D742EBBAD30CDF
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\plutonium-bootstrapper-win32.exeexecutable
MD5:332D838CCB3D90EDB349758EBFBE7529
SHA256:322021311F86DED0F7D27A4CB7997595A02C9CD2957CE69B979DF0552963BE54
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\steam_api64.dllexecutable
MD5:F3DB5801DC9B75DA671B39041E2E8BCF
SHA256:A44E5537939AE4EEBC69000589AA9B2437A667813A1657CC779198BAE9B815A9
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\VibeCheck.exeexecutable
MD5:BE1EE42858B55352E0FB154D76F31562
SHA256:4B053F45887ED35E584B3DDC4C44BAA1533372161B96DEAAA2C3C1EA6FCE7F2B
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\t4sp.exeexecutable
MD5:04D5620ACF68F0A9A067DF532EA23B96
SHA256:F26D45524BFFF7E44C8EBAB4D758CA524EDFB0FB7D52352B6C95E1E908799361
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\plutonium-launcher-win32.exeexecutable
MD5:3B4855CA60126444EB2B4A8C1B864DAE
SHA256:4FBFB4DF1A2DB548CBB15213350509C638A156E072B0856019FA6DB03B033DFA
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\t6zm.exeexecutable
MD5:837C6AE7DC13412FB4DD346CD7C987FF
SHA256:2AFF340F22F0C68BF46511C7BBC6167E4BB84524817F54CAE08E8F60E6F9AFC3
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\WebCore.dllexecutable
MD5:90B16ABE7F82DCAE822174B4503F4E1B
SHA256:B4D361BF13F98C96C21C3DEC94D14914FF80C3515A48CD3DF974378CD6052082
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\t5mp.exeexecutable
MD5:5F078CB9FDAE3B960D616B969AF72C48
SHA256:6A544494722AAF90AE241D687FCA0AEBD73F97F0D79412D0F8C311F6C369C3FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
16
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/34dd74dc967addb4b84deb3585ed3151dc33c762
unknown
executable
6.50 Mb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/01cd853173dca709c6a9c3ec8c68e5cb1ce7802a
unknown
executable
126 Kb
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod.json
unknown
binary
465 b
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/58a31e648b2f7232025aa009b1ea3112ac85a3d2
unknown
executable
4.93 Mb
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/405be77c308b4aeb678dd9235ceee201da8babb8
unknown
executable
578 Kb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/62cd6f527be6c82e1c1669fde807a4b34774691b
unknown
executable
3.01 Mb
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/ce78cfc85ae77e91480a443866d8d4b964c9559d
unknown
executable
11.9 Mb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/17c3c8a1dbfb6c4cc2c1368d8ede5318b0783290
unknown
executable
2.92 Mb
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/07a8fc31fb150a34084986498c560193ac0c8006
unknown
executable
5.29 Mb
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/417beb0835a2fe2334d7a1a0771a6a8aef285c60
unknown
executable
5.39 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1184
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1224
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6380
plutonium.exe
104.21.235.12:443
cdn.plutonium.pw
CLOUDFLARENET
unknown
4324
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
cdn.plutonium.pw
  • 104.21.235.12
  • 104.21.235.11
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
plutonium.exe