de672a44b62f7f4862b94d14c74956cf91346312f8227d6a5aa1b0d509fa07c1

Analysis

max time kernel
145s
max time network
136s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2025, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoReaper/PlutoReaperV2/PROGRAMS/PHISHING/messenger/login.html
Size

634KB
MD5

d03f449ddafd99f4096392f0e13269bb
SHA1

dc80afc9b309f6aa4f6520eecc9696e5fee68b9e
SHA256

5709c7aa3267c15e198d9bc8d3512d9eced777f5896a1e01d9748fe43d026163
SHA512

6e5eae35e892994c666308c2609bec8945ae1f00b2df1fa75a2f78a1aad13ca9cae25f4bc1e5ed50da1a6f05b68d80fdf03aa536fc5ed3e9a8f16265af2ee6d2
SSDEEP

6144:dGwlGOHlhelwA/HRo/lfEsZBdMlyJxZSdxRQhVJ:dGwzrelwA/KRVBd7Z

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
784	msedge.exe
784	msedge.exe
3636	msedge.exe
3636	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe
784	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 3712	784	msedge.exe	80
PID 784 wrote to memory of 3712	784	msedge.exe	80
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 1652	784	msedge.exe	81
PID 784 wrote to memory of 4484	784	msedge.exe	82
PID 784 wrote to memory of 4484	784	msedge.exe	82
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83
PID 784 wrote to memory of 3076	784	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\PlutoReaper\PlutoReaperV2\PROGRAMS\PHISHING\messenger\login.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff42c3cb8,0x7ffff42c3cc8,0x7ffff42c3cd8
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,10272370192151957360,344364421178293238,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aceef780c08301cd5b23ae05d0987aca

SHA1
d7dacb2528c70e3340a836da7666fcffd6f2a17b

SHA256
257d92d753dd7de9a01fb0c77c63f8c3ed01ea6d7c14d8c5e1fb2db50e0077aa

SHA512
95943d8b8db3450627559344429cb82c09fa2a61b35721f400a26378bafdb1d3243d52c7eecd3c2c355373de7f48d0bf290987e7064d80b9fa689f17475ae729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e826770e88318fe8f2db3f380cc22916

SHA1
d4ebc1b80456022971bcbe046fbc95b821592eca

SHA256
39b58b21a085a32ab8c05a900f7865051b785bc0cf2b499a1cc8e26adc34165a

SHA512
c8f2f24e216db852c957bea9d5d3961b15d7274b02e72534ae496bbae0149c682155a6a24a0b74bdbda62374050e71e897d8010aeefd4c13d1290327b30708b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
353B

MD5
312f86c683fc3a9ae5959db24c9bc6db

SHA1
464160c75bf3f43312f093a8e1774e4d3132805d

SHA256
7a523d024124d5faba7e6278c7315c6210288fdfa7b9f24242373374f949b52b

SHA512
219147adf2df0bab30c308a84c6310610c6e54683f5b7775b81ee4a2f85d277e7160ac61ae7c663e89abf7d85fc9264219d9576e1f3c0d3263c14dad5e72e3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6849f6ece820f428a816b51f4f76c7f4

SHA1
e9e2434811cb60fb8cd3159068864f6b01bf8346

SHA256
18261086b98cfc0fa7627754610875cfe7dc96343b353e4e4d241fbe7ebefe4f

SHA512
c8d2d80f241798f45cc4865e6246a6fff6385f85137387b0a9fe4cb995edd987a5184e483d36838d64b7ce828f9b8c50480d0009ecc2e5681d65c82b9ef27058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
838bfa768d52cd3d063acf4452a07db3

SHA1
1aa0e3cac0452ffd709c33bc890f0e169f040813

SHA256
21f3654964ade2c11f08a8b1d4ba08f800b88ed8312655203e4f3a20d4734e38

SHA512
3288051afbb6023e904a0098b52da1a27d62480ba62bf62cf250e687bf95ed6753fe62f769b910fd181037d428875a9d99836a33dd3a8a1e472deded5d5ddcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
025975c0159df8ab5366abf5e79979ec

SHA1
5eade67a0ca59071aeed58222e99b1929bc116ce

SHA256
aac5da87b24fadbab4fee18168e32360e6e8f2538938323e6f545c845b919b71

SHA512
0d770d3124ae623462accabadc64e14e6c963cf93a9239eb09b49814c9c3112cea4c664ec6192ff814c31932e3d8dd417e76d76eae9d8c0ab28e5dfdd49973eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46cfa6257bd942d38789423fc599b9e5

SHA1
fc9363d91dd2a4ed8bc3817843d491b926908991

SHA256
8714a5429aee5c6693a67d1493b0bc207dedf50489762b5e56759acffcad6367

SHA512
868f3d68da7af12e985fc1d2d0fb018d3668f52c05cce61a63aaa9f5674a0c7bb33f67894e8214e137098ce654f4a44ec4dac742ec41cdefcd21945443e814d9

Download Submit