File name:

plutonium.exe

Full analysis: https://app.any.run/tasks/fa3552ac-3e50-43ec-8696-03603864b03a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 14, 2024, 08:10:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

72CB7C6D98E9E47274733825C9176679

SHA1:

8681469349254C5203A7F9A189833D22A14F5CD9

SHA256:

85D1D1CA4D5881D9B98928C2006FB0EEC9655E2705FE74088E6F974A19703F0F

SSDEEP:

98304:zUaMwIBAoUcmmxVA5/xDnLx0yu+5TeRXExXYAxZ:Ia+AobhATd0yH0RXUo2Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • plutonium.exe (PID: 6264)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • plutonium.exe (PID: 6264)

    • Executable content was dropped or overwritten

      • plutonium.exe (PID: 6264)

  • INFO

    • Checks supported languages

      • plutonium.exe (PID: 6264)

    • Reads the computer name

      • plutonium.exe (PID: 6264)

    • Disables trace logs

      • plutonium.exe (PID: 6264)

    • Checks proxy server information

      • plutonium.exe (PID: 6264)

    • Reads Environment values

      • plutonium.exe (PID: 6264)

    • Creates files in the program directory

      • plutonium.exe (PID: 6264)

    • Reads the machine GUID from the registry

      • plutonium.exe (PID: 6264)

    • Reads the software policy settings

      • plutonium.exe (PID: 6264)

    • Creates files or folders in the user directory

      • plutonium.exe (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2097:01:09 15:42:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 4820480
InitializedDataSize: 34816
UninitializedDataSize: -
EntryPoint: 0x49adde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.221.0
ProductVersionNumber: 1.0.221.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Plutonium.Updater.App
FileDescription: Plutonium.Updater.App
FileVersion: 1.0.221.0
InternalName: Plutonium.Updater.App.exe
LegalCopyright:
OriginalFileName: Plutonium.Updater.App.exe
ProductName: Plutonium.Updater.App
ProductVersion: 1.0.221-25b01eea
AssemblyVersion: 1.0.221.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start plutonium.exe

Process information

PID
CMD
Path
Indicators
Parent process
6264"C:\Users\admin\Desktop\plutonium.exe" C:\Users\admin\Desktop\plutonium.exe
explorer.exe
User:
admin
Company:
Plutonium.Updater.App
Integrity Level:
MEDIUM
Description:
Plutonium.Updater.App
Version:
1.0.221.0
Modules
Images
c:\users\admin\desktop\plutonium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 655
Read events
4 641
Write events
14
Delete events
0

Modification events

(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6264) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6264plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\UltralightCore.dllexecutable
MD5:CD3768E013636A12E6CE7937A7F69365
SHA256:9ED2701BA7C3349ECBBCF276C280A09262B4DA72BE9FDCDDD81A8BAC9C9B3D69
6264plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\Ultralight.dllexecutable
MD5:6C2949787D48F3B0C0CBD4A872253F12
SHA256:758CA54BAC8288487CFA6EA276C724FC4AD29C6D6A4294D74EA34E0726CE8661
6264plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\VibeCheck.exeexecutable
MD5:BE1EE42858B55352E0FB154D76F31562
SHA256:4B053F45887ED35E584B3DDC4C44BAA1533372161B96DEAAA2C3C1EA6FCE7F2B
6264plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\AppCore.dllexecutable
MD5:80C3806A12959987AC012E28F63AD150
SHA256:B5338B858E5C65F9C36BBC817673BA5E1A05EED8F4DCF007B6BC4FF6140FC8F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
24
DNS requests
7
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5380
RUXIMICS.exe
GET
200
2.19.172.196:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.19.172.196:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4232
svchost.exe
GET
200
2.19.172.196:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5380
RUXIMICS.exe
GET
200
184.29.138.50:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.29.138.50:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4232
svchost.exe
GET
200
184.29.138.50:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/ebd5792c38e598e09de2e87f435c809927400e25
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/info.json
unknown
binary
27.5 Kb
POST
200
20.42.73.24:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
9 b
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/3a43f2989903bede21c4f599c86f3e10403e4bf1
unknown
executable
230 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
4232
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5380
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
2.19.172.196:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5380
RUXIMICS.exe
2.19.172.196:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4232
svchost.exe
2.19.172.196:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5380
RUXIMICS.exe
184.29.138.50:80
www.microsoft.com
AKAMAI-AS
US
unknown
5140
MoUsoCoreWorker.exe
184.29.138.50:80
www.microsoft.com
AKAMAI-AS
US
unknown
4232
svchost.exe
184.29.138.50:80
www.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.19.172.196
  • 2.19.172.207
whitelisted
www.microsoft.com
  • 184.29.138.50
whitelisted
cdn.plutonium.pw
  • 104.21.235.12
  • 104.21.235.11
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.89.179.14
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Misc activity
ET INFO HTTP Request to a *.pw domain
Misc activity
ET INFO HTTP Request to a *.pw domain
Misc activity
ET INFO HTTP Request to a *.pw domain
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
ET INFO HTTP Request to a *.pw domain
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Misc activity
ET INFO HTTP Request to a *.pw domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
plutonium.exe