File name:

plutonium.exe

Full analysis: https://app.any.run/tasks/fb5fc71f-e42f-45e9-a6a6-74c0abc71964
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 03, 2024, 16:26:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

72CB7C6D98E9E47274733825C9176679

SHA1:

8681469349254C5203A7F9A189833D22A14F5CD9

SHA256:

85D1D1CA4D5881D9B98928C2006FB0EEC9655E2705FE74088E6F974A19703F0F

SSDEEP:

98304:zUaMwIBAoUcmmxVA5/xDnLx0yu+5TeRXExXYAxZ:Ia+AobhATd0yH0RXUo2Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • plutonium.exe (PID: 6368)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • plutonium.exe (PID: 6368)

    • Executable content was dropped or overwritten

      • plutonium.exe (PID: 6368)

  • INFO

    • Checks supported languages

      • plutonium.exe (PID: 6368)

    • Creates files in the program directory

      • plutonium.exe (PID: 6368)

    • Disables trace logs

      • plutonium.exe (PID: 6368)

    • Reads Environment values

      • plutonium.exe (PID: 6368)

    • Reads the machine GUID from the registry

      • plutonium.exe (PID: 6368)

    • Reads the computer name

      • plutonium.exe (PID: 6368)

    • Reads the software policy settings

      • plutonium.exe (PID: 6368)

    • Checks proxy server information

      • plutonium.exe (PID: 6368)

    • Creates files or folders in the user directory

      • plutonium.exe (PID: 6368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2097:01:09 15:42:18+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 4820480
InitializedDataSize: 34816
UninitializedDataSize: -
EntryPoint: 0x49adde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.221.0
ProductVersionNumber: 1.0.221.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Plutonium.Updater.App
FileDescription: Plutonium.Updater.App
FileVersion: 1.0.221.0
InternalName: Plutonium.Updater.App.exe
LegalCopyright:
OriginalFileName: Plutonium.Updater.App.exe
ProductName: Plutonium.Updater.App
ProductVersion: 1.0.221-25b01eea
AssemblyVersion: 1.0.221.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start plutonium.exe

Process information

PID
CMD
Path
Indicators
Parent process
6368"C:\Users\admin\Desktop\plutonium.exe" C:\Users\admin\Desktop\plutonium.exe
explorer.exe
User:
admin
Company:
Plutonium.Updater.App
Integrity Level:
MEDIUM
Description:
Plutonium.Updater.App
Version:
1.0.221.0
Modules
Images
c:\users\admin\desktop\plutonium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
4 655
Read events
4 641
Write events
14
Delete events
0

Modification events

(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6368) plutonium.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\plutonium_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
16
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\AppCore.dllexecutable
MD5:80C3806A12959987AC012E28F63AD150
SHA256:B5338B858E5C65F9C36BBC817673BA5E1A05EED8F4DCF007B6BC4FF6140FC8F8
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\VibeCheck.exeexecutable
MD5:BE1EE42858B55352E0FB154D76F31562
SHA256:4B053F45887ED35E584B3DDC4C44BAA1533372161B96DEAAA2C3C1EA6FCE7F2B
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\steam_api64.dllexecutable
MD5:F3DB5801DC9B75DA671B39041E2E8BCF
SHA256:A44E5537939AE4EEBC69000589AA9B2437A667813A1657CC779198BAE9B815A9
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\WebCore.dllexecutable
MD5:90B16ABE7F82DCAE822174B4503F4E1B
SHA256:B4D361BF13F98C96C21C3DEC94D14914FF80C3515A48CD3DF974378CD6052082
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\Ultralight.dllexecutable
MD5:6C2949787D48F3B0C0CBD4A872253F12
SHA256:758CA54BAC8288487CFA6EA276C724FC4AD29C6D6A4294D74EA34E0726CE8661
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\iw5sp.exeexecutable
MD5:6199A36AC2928AC23AC495CC2B528477
SHA256:0EAD93EB151F1FFFE4EDD3EE3C29DB4209C951506AB44BE05735F1687123B4F0
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\discord_game_sdk.dllexecutable
MD5:955AF9BE4A97316D73AFAE1E7365E97E
SHA256:D8E7D9FEB3DE8482B186AE44FD1C9ABB41FE2B3B3D2C7CD3A4D742EBBAD30CDF
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\t5mp.exeexecutable
MD5:5F078CB9FDAE3B960D616B969AF72C48
SHA256:6A544494722AAF90AE241D687FCA0AEBD73F97F0D79412D0F8C311F6C369C3FB
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\bin\UltralightCore.dllexecutable
MD5:CD3768E013636A12E6CE7937A7F69365
SHA256:9ED2701BA7C3349ECBBCF276C280A09262B4DA72BE9FDCDDD81A8BAC9C9B3D69
6368plutonium.exeC:\Users\admin\AppData\Local\Plutonium\games\t4mp.exeexecutable
MD5:5FABA8AF039CCC3513D904AEEEA34FF7
SHA256:943BB93001AD2ED465B6652C27FB649B5F0C5B24097E18A27A588AC35B3457A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
22
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
RUXIMICS.exe
GET
200
23.204.115.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2392
svchost.exe
GET
200
23.204.115.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5448
RUXIMICS.exe
GET
200
23.215.41.150:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2392
svchost.exe
GET
200
23.215.41.150:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/info.json
unknown
binary
27.5 Kb
unknown
POST
20.189.173.6:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
unknown
GET
200
104.21.235.11:443
https://cdn.plutonium.pw/updater/prod/files/2ebf3ce0b81c19b63a9dd1cdf0d66fee5439b2f4
unknown
executable
2.92 Mb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/405be77c308b4aeb678dd9235ceee201da8babb8
unknown
executable
578 Kb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod/files/07a8fc31fb150a34084986498c560193ac0c8006
unknown
executable
5.29 Mb
unknown
GET
200
104.21.235.12:443
https://cdn.plutonium.pw/updater/prod.json
unknown
binary
465 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2392
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5448
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2392
svchost.exe
23.204.115.171:80
crl.microsoft.com
AKAMAI-AS
US
unknown
239.255.255.250:1900
unknown
5448
RUXIMICS.exe
23.204.115.171:80
crl.microsoft.com
AKAMAI-AS
US
unknown
5448
RUXIMICS.exe
23.215.41.150:80
www.microsoft.com
AKAMAI-AS
US
unknown
2392
svchost.exe
23.215.41.150:80
www.microsoft.com
AKAMAI-AS
US
unknown
6368
plutonium.exe
104.21.235.12:443
cdn.plutonium.pw
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.204.115.171
  • 23.204.115.179
whitelisted
www.microsoft.com
  • 23.215.41.150
whitelisted
cdn.plutonium.pw
  • 104.21.235.12
  • 104.21.235.11
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
plutonium.exe