File name:

06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f

Full analysis: https://app.any.run/tasks/2950df29-b769-465d-ab03-fe4ab8a37c6b
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 23, 2025, 19:33:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
imminent
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4D70C4F7594371493E4372F4C5CC2C49

SHA1:

019F726FC46D6CE1A73CD87A46E2D565BF8271EB

SHA256:

06A66EFA39B3258602D8D6F6742452F2EFB8BEFCE6320B58E6EA5E8B9E30D86F

SSDEEP:

24576:wL7yAv240nwDRn87JAKQD7/yJ5fvke8mWwr6zxEi66K1NbctFzrL9o9UGseoRShE:g7yEenwDRn87ynD7/yJ5fvk/mWwr69E4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6796)

    • Imminent RAT is detected

      • RegAsm.exe (PID: 6092)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6796)

    • Executable content was dropped or overwritten

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)

    • The process executes via Task Scheduler

      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6796)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5540)

    • There is functionality for taking screenshot (YARA)

      • RegAsm.exe (PID: 6092)

    • Connects to unusual port

      • RegAsm.exe (PID: 6092)

  • INFO

    • Reads mouse settings

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6796)

    • Checks supported languages

      • RegAsm.exe (PID: 6092)
      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • RegAsm.exe (PID: 6316)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6796)
      • RegAsm.exe (PID: 6820)
      • RegAsm.exe (PID: 6528)

    • The sample compiled with english language support

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)

    • Reads the computer name

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • RegAsm.exe (PID: 6092)
      • refsutil.exe (PID: 6296)
      • RegAsm.exe (PID: 6528)
      • refsutil.exe (PID: 6796)
      • refsutil.exe (PID: 6504)
      • RegAsm.exe (PID: 6820)

    • The process uses the downloaded file

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • RegAsm.exe (PID: 6092)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6796)
      • refsutil.exe (PID: 6504)

    • Reads the machine GUID from the registry

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • RegAsm.exe (PID: 6092)
      • RegAsm.exe (PID: 6316)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6796)
      • RegAsm.exe (PID: 6528)
      • RegAsm.exe (PID: 6820)

    • Process checks computer location settings

      • 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe (PID: 4628)
      • refsutil.exe (PID: 6296)
      • refsutil.exe (PID: 6504)
      • refsutil.exe (PID: 6796)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 6092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:09 21:49:25+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 802816
InitializedDataSize: 20480
UninitializedDataSize: 778240
EntryPoint: 0x182860
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: NetHost
OriginalFileName: autoconv.exe
CompanyName: AppVClientPS
FileVersion: 801.532.303.334
LegalCopyright: wpr
ProductName: SpeechRuntime
ProductVersion: 79.264.31.984
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
17
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe #IMMINENT regasm.exe schtasks.exe no specs conhost.exe no specs wmiapsrv.exe no specs refsutil.exe no specs regasm.exe no specs schtasks.exe no specs conhost.exe no specs refsutil.exe no specs regasm.exe no specs schtasks.exe no specs conhost.exe no specs refsutil.exe no specs regasm.exe no specs schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1412"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\admin\advpack\refsutil.exe" /sc minute /mo 1 /FC:\Windows\SysWOW64\schtasks.exe06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4628"C:\Users\admin\Desktop\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe" C:\Users\admin\Desktop\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
explorer.exe
User:
admin
Company:
AppVClientPS
Integrity Level:
MEDIUM
Description:
NetHost
Exit code:
0
Version:
801.532.303.334
Modules
Images
c:\users\admin\desktop\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5540C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
6092"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6296"C:\Users\admin\advpack\refsutil.exe"C:\Users\admin\advpack\refsutil.exesvchost.exe
User:
admin
Company:
AppVClientPS
Integrity Level:
MEDIUM
Description:
NetHost
Exit code:
0
Version:
801.532.303.334
Modules
Images
c:\users\admin\advpack\refsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6316"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exerefsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6368"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\admin\advpack\refsutil.exe" /sc minute /mo 1 /FC:\Windows\SysWOW64\schtasks.exerefsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6504"C:\Users\admin\advpack\refsutil.exe"C:\Users\admin\advpack\refsutil.exesvchost.exe
User:
admin
Company:
AppVClientPS
Integrity Level:
MEDIUM
Description:
NetHost
Exit code:
0
Version:
801.532.303.334
Modules
Images
c:\users\admin\advpack\refsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 663
Read events
5 662
Write events
1
Delete events
0

Modification events

(PID) Process:(5540) WmiApSrv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance
Operation:writeName:Performance Refreshed
Value:
0
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
462806a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exeC:\Users\admin\advpack\refsutil.exeexecutable
MD5:6E8F215C7416EC14EE823BE6EAAAFF82
SHA256:B5633BF6925FC7CE83633CBAC46E7BC53C39CE0417E176AFCC190071826CD3D6
6092RegAsm.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\network.datbinary
MD5:3E3182ADD0FB1A6BB9B0AC3F96E3F2C4
SHA256:22DC6FFF6F2FF58D30FB76C7CAAC92A7B0B90FA0B1BD4807A4542BA99CB63447
6092RegAsm.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\system.datbinary
MD5:B2665BC5EEFECB494B179072143F960A
SHA256:DAC6749C89AD597BFA95BADAB85B1E8EECB450FDD339908051A1AE153409B96A
6092RegAsm.exeC:\Users\admin\AppData\Roaming\Imminent\Logs\23-01-2025text
MD5:33BE604F8044D5984E8E3E3B694D710A
SHA256:3F785F1CC535B0987139623200C7910B2B28F92DFE3309E8E071C091D0CE7313
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
27
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5848
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5848
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5848
svchost.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5848
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6092
RegAsm.exe
107.173.207.168:389
AS-COLOCROSSING
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.146
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.185
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.178
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.167
  • 23.48.23.194
  • 23.48.23.180
  • 23.48.23.193
  • 23.48.23.169
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 40.79.189.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f