File name:

plutonium.exe

Full analysis: https://app.any.run/tasks/f49d72f3-b7a2-4eaf-80c6-ecbafedc4e34
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 19:00:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

72CB7C6D98E9E47274733825C9176679

SHA1:

8681469349254C5203A7F9A189833D22A14F5CD9

SHA256:

85D1D1CA4D5881D9B98928C2006FB0EEC9655E2705FE74088E6F974A19703F0F

SSDEEP:

98304:zUaMwIBAoUcmmxVA5/xDnLx0yu+5TeRXExXYAxZ:Ia+AobhATd0yH0RXUo2Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • plutonium.exe (PID: 6380)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • plutonium.exe (PID: 6380)

    • Executable content was dropped or overwritten

      • plutonium.exe (PID: 6380)

  • INFO

    • Checks supported languages

      • plutonium.exe (PID: 6380)

    • Creates files in the program directory

      • plutonium.exe (PID: 6380)

    • Reads the machine GUID from the registry

      • plutonium.exe (PID: 6380)

    • Reads the computer name

      • plutonium.exe (PID: 6380)

    • Checks proxy server information

      • plutonium.exe (PID: 6380)

    • Reads Environment values

      • plutonium.exe (PID: 6380)

    • Reads the software policy settings

      • plutonium.exe (PID: 6380)

    • Disables trace logs

      • plutonium.exe (PID: 6380)

    • Creates files or folders in the user directory

      • plutonium.exe (PID: 6380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2097:01:09 15:42:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 4820480
InitializedDataSize: 34816
UninitializedDataSize: -
EntryPoint: 0x49adde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.221.0
ProductVersionNumber: 1.0.221.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Plutonium.Updater.App
FileDescription: Plutonium.Updater.App
FileVersion: 1.0.221.0
InternalName: Plutonium.Updater.App.exe
LegalCopyright:
OriginalFileName: Plutonium.Updater.App.exe
ProductName: Plutonium.Updater.App
ProductVersion: 1.0.221-25b01eea
AssemblyVersion: 1.0.221.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start plutonium.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6380"C:\Users\admin\Desktop\plutonium.exe" C:\Users\admin\Desktop\plutonium.exe
explorer.exe
User:
admin
Company:
Plutonium.Updater.App
Integrity Level:
MEDIUM
Description:
Plutonium.Updater.App
Version:
1.0.221.0
Modules
Images
c:\users\admin\desktop\plutonium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 835
Read events
4 821
Write events
14
Delete events
0

Modification events

(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6380) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
17
Suspicious files
21
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\UltralightCore.dllexecutable
MD5:CD3768E013636A12E6CE7937A7F69365
SHA256:9ED2701BA7C3349ECBBCF276C280A09262B4DA72BE9FDCDDD81A8BAC9C9B3D69
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\plutonium-bootstrapper-win32.exeexecutable
MD5:332D838CCB3D90EDB349758EBFBE7529
SHA256:322021311F86DED0F7D27A4CB7997595A02C9CD2957CE69B979DF0552963BE54
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\Ultralight.dllexecutable
MD5:6C2949787D48F3B0C0CBD4A872253F12
SHA256:758CA54BAC8288487CFA6EA276C724FC4AD29C6D6A4294D74EA34E0726CE8661
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\iw5sp.exeexecutable
MD5:6199A36AC2928AC23AC495CC2B528477
SHA256:0EAD93EB151F1FFFE4EDD3EE3C29DB4209C951506AB44BE05735F1687123B4F0
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\AppCore.dllexecutable
MD5:80C3806A12959987AC012E28F63AD150
SHA256:B5338B858E5C65F9C36BBC817673BA5E1A05EED8F4DCF007B6BC4FF6140FC8F8
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\VibeCheck.exeexecutable
MD5:BE1EE42858B55352E0FB154D76F31562
SHA256:4B053F45887ED35E584B3DDC4C44BAA1533372161B96DEAAA2C3C1EA6FCE7F2B
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\discord_game_sdk.dllexecutable
MD5:955AF9BE4A97316D73AFAE1E7365E97E
SHA256:D8E7D9FEB3DE8482B186AE44FD1C9ABB41FE2B3B3D2C7CD3A4D742EBBAD30CDF
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\plutonium-launcher-win32.exeexecutable
MD5:3B4855CA60126444EB2B4A8C1B864DAE
SHA256:4FBFB4DF1A2DB548CBB15213350509C638A156E072B0856019FA6DB03B033DFA
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\steam_api64.dllexecutable
MD5:F3DB5801DC9B75DA671B39041E2E8BCF
SHA256:A44E5537939AE4EEBC69000589AA9B2437A667813A1657CC779198BAE9B815A9
6380plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\WebCore.dllexecutable
MD5:90B16ABE7F82DCAE822174B4503F4E1B
SHA256:B4D361BF13F98C96C21C3DEC94D14914FF80C3515A48CD3DF974378CD6052082
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
16
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/01cd853173dca709c6a9c3ec8c68e5cb1ce7802a
unknown
executable
126 Kb
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/62cd6f527be6c82e1c1669fde807a4b34774691b
unknown
executable
3.01 Mb
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/info.json
unknown
binary
27.5 Kb
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/3a43f2989903bede21c4f599c86f3e10403e4bf1
unknown
executable
230 Kb
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/405be77c308b4aeb678dd9235ceee201da8babb8
unknown
executable
578 Kb
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/34dd74dc967addb4b84deb3585ed3151dc33c762
unknown
executable
6.50 Mb
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/ebd5792c38e598e09de2e87f435c809927400e25
unknown
executable
22.0 Mb
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/ce78cfc85ae77e91480a443866d8d4b964c9559d
unknown
executable
11.9 Mb
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/40d0ae44e090db49b2309fb152fbd3e11124a376
unknown
executable
291 Kb
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/17c3c8a1dbfb6c4cc2c1368d8ede5318b0783290
unknown
executable
2.92 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1184
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1224
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6380
plutonium.exe
104.21.235.12:443
cdn.plutonium.pw
CLOUDFLARENET
unknown
4324
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
cdn.plutonium.pw
  • 104.21.235.12
  • 104.21.235.11
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
plutonium.exe