de672a44b62f7f4862b94d14c74956cf91346312f8227d6a5aa1b0d509fa07c1

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2025, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoReaper/PlutoReaperV2/PROGRAMS/PHISHING/microsoft/index_files/prefetch.html
Size

3KB
MD5

d582503354aeb7527da0e2c23cf6a87b
SHA1

218f73a8a88c7719a493bc8bcd97d2260f4b7612
SHA256

0f2176dcd91136cd67d92842d2d3db73bf8380e4eaeaae74c5709f18983297be
SHA512

144926531d77e298b2a75bfd914430f98ef18293fc2847fb26ba9f1111bf6c8b7680ed16febe088dcb64bae0fdf148e273920aa70a2bc21b140580f2411db5bd

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1540	msedge.exe
1540	msedge.exe
1536	msedge.exe
1536	msedge.exe
4052	msedge.exe
4052	msedge.exe
2756	identity_helper.exe
2756	identity_helper.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 6064	1536	msedge.exe	82
PID 1536 wrote to memory of 6064	1536	msedge.exe	82
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1612	1536	msedge.exe	83
PID 1536 wrote to memory of 1540	1536	msedge.exe	84
PID 1536 wrote to memory of 1540	1536	msedge.exe	84
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85
PID 1536 wrote to memory of 4848	1536	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\PlutoReaper\PlutoReaperV2\PROGRAMS\PHISHING\microsoft\index_files\prefetch.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff914b83cb8,0x7ff914b83cc8,0x7ff914b83cd8
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15515723346192108883,4418805647090031319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5368 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
825fb95a70bf7b56cfcda1f118800f98

SHA1
15f1e212c1fb567c70ff4f716a4bba81f2857e0a

SHA256
2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104

SHA512
987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e45a14e89fdf82756edc65c97e606e63

SHA1
42ce594393a4ce3b4e1c79dbe424841bd3f434c8

SHA256
49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f

SHA512
6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
c66c2764a01a01f27d70f83c102bbe18

SHA1
52a72b53a72b69b28d7c02ac81b81920b9dee5f9

SHA256
d3e0d3be5bfff1f93133c8085b20a39d50408d4f1beedd1d0428a3906e14f5e4

SHA512
a5b25a531dacf68600ad13c71d3211f3647ca57b1033b65463726b7b808b3c5cdfe9320162bcc81d4bd682a94c5320afd56806d51b87a34aaf06523c4c685cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b91702a8def163e693744471514102f5

SHA1
ffabb1be70ca611992a22a6aa51dc7f916c05561

SHA256
889f0860a01c7191f1de99e6848040b70d5c2fbef627836a8a946084ecb55294

SHA512
f26be2d8571b1bcf03d814da1ade9c4f6242a1854b0d7d9c54aba94f3a66bdc50483fa7eaee785631a8db94ed05be2e9ed882da4c44a94bf15858a93ec4e0b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f6eabf1d0f31bb14251dad68cec2d7a

SHA1
e8d7d1fb27f7d6861209c9df3180e8420a5862fd

SHA256
2ea69ee00beaedbdd622ee2ac317638e72d237e7d67018689424feaeb657d17a

SHA512
50570549bf8f909051bc2bb8b11f04ec00bf7cc55f2f3c8208c3f282a344c4d061f6de87aad6ffbbb97244f6f84ae714c1360549721ab914ded8764ff12ad58b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
850c653eefb467de839816c89d13b881

SHA1
3374d4e6fdab8855611c94a0c9fb14af4d9d2d37

SHA256
8c15f4f40c8128ebbc3eecb5b24e386cb124bb2f7e39869e6b9490cbf67750ac

SHA512
153be9a5378551498789210b5a854ffee8f2ad08b03ebb1472e74766f5c60a83c765fe4c5c9e16bca1fee16a5bd549d3c34f7dea4664cb3088c5a1796e6169ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5ab0fe826f55581c531db7198776ca9

SHA1
35e58b14e909b7de0dd3f547b707e334b8f528b3

SHA256
96c35ad687172ecb76354d12b95b768ddeb7dfa83253d2563fda26cca7d7171f

SHA512
0466f864c624d8b13bec2f79b8fc89e5ef2a88bc4e9bf4f422f1638414b5e7a6b89fdef0e4c13989f4de47fb7a88884992f591c7fd78e52c362130f35715e90d

Download Submit