de672a44b62f7f4862b94d14c74956cf91346312f8227d6a5aa1b0d509fa07c1

Analysis

max time kernel
145s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2025, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlutoReaper/PlutoReaperV2/PROGRAMS/PHISHING/facebook/login.html
Size

398KB
MD5

dae741701bcfb2cf53f8a7f84b469c17
SHA1

af15ff21fc5b63ae5d2a7aaf37cea44fde111006
SHA256

1db4924a7408e2f5b755185a81bc3f181141e6767144089d9ece8a226ef78658
SHA512

985e18511085e06a0288b6b2dea54a064361b75884c70c2422549baa1e8be557d463ef5d28c1a3c6ec88069e90fdb45371fb54e33f2ea76e449e4f34c177d383
SSDEEP

3072:0T7LB+wkce0gcYSLyCw9riAw1RTDMgrA8GfLcmLdC+BC:0t1kc1LyRWL11MgkYqBC

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
2520	msedge.exe
2520	msedge.exe
2468	msedge.exe
2468	msedge.exe
5076	identity_helper.exe
5076	identity_helper.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 6012	2520	msedge.exe	80
PID 2520 wrote to memory of 6012	2520	msedge.exe	80
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 1524	2520	msedge.exe	81
PID 2520 wrote to memory of 4928	2520	msedge.exe	82
PID 2520 wrote to memory of 4928	2520	msedge.exe	82
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83
PID 2520 wrote to memory of 1116	2520	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\PlutoReaper\PlutoReaperV2\PROGRAMS\PHISHING\facebook\login.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbcc1b3cb8,0x7ffbcc1b3cc8,0x7ffbcc1b3cd8
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,10106778350837106259,15813427843197326099,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aceef780c08301cd5b23ae05d0987aca

SHA1
d7dacb2528c70e3340a836da7666fcffd6f2a17b

SHA256
257d92d753dd7de9a01fb0c77c63f8c3ed01ea6d7c14d8c5e1fb2db50e0077aa

SHA512
95943d8b8db3450627559344429cb82c09fa2a61b35721f400a26378bafdb1d3243d52c7eecd3c2c355373de7f48d0bf290987e7064d80b9fa689f17475ae729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e826770e88318fe8f2db3f380cc22916

SHA1
d4ebc1b80456022971bcbe046fbc95b821592eca

SHA256
39b58b21a085a32ab8c05a900f7865051b785bc0cf2b499a1cc8e26adc34165a

SHA512
c8f2f24e216db852c957bea9d5d3961b15d7274b02e72534ae496bbae0149c682155a6a24a0b74bdbda62374050e71e897d8010aeefd4c13d1290327b30708b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
324B

MD5
cd4dc48b31da2546e47cb462de5c8169

SHA1
85a1b0db8a604f55dabeea9917f40ba9451bc206

SHA256
2bcd3b8fdabd475e8610f6e4295084cf3b53655117b338dfbd8f6ce1b6bf3e22

SHA512
c41d83bee70f6d575580348fe96d8d5d23830069b7c522c294892c5b0e74f6dd3385096eadcbb81d71dcdceeebc7c7bad59b9c6eacebba9ad73b59f78e8e3887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8dc54fbf2a55c8bf195ec8e5a8a108d

SHA1
a6b6e3c26bcab0bef31004d30cdc0a386f1c3b80

SHA256
cd233104e89843fbdc733760566bbf787bdfddc3213a2d63e6be83157f876a8e

SHA512
53de01259eef43d9f0e5a329b25dc5ccede7d4fd3644f285393f45e56ce0aab51b30b0079274d40a93f20a6972e9ff0693a545013195361e1cdb499aba3de033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a0d088a637dea725ad1ae512fc3f51c

SHA1
38ccd062053c24c508d572f1018b5f451d7d4bb2

SHA256
a0e3301603c20c563d77b33e48580f8325479a4220e35433106a92edcbcfdee5

SHA512
ee334971c39ab466e5b6d4d9b22eb5385ce03e6820c9467c158bd66ec084d0909ddf7feb7766a3030b5734a2e81af5e2e1495e25e71ae143aeb202a3a3c49627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b539aba96c39d90be5bc58110a47b3f0

SHA1
56838e4a2eaea33700ab3899e02c9b228ddde4e7

SHA256
8e3b0cefb65d93aef4b637c4fc8394cec0e1de226f76bf96f1ed1ea721b9e13b

SHA512
ab76f9df163b009145d511c05ed8b659606322bdc5a86895f1514e3d978ad44f698f6da21fac2bdd2a8a4aa9e1829e2491537e6a91bae69f40406369b2ac386a

Download Submit