Malware analysis Imminent Monitor v3.9.zip Malicious activity

Add for printing

File name:	Imminent Monitor v3.9.zip
Full analysis:	https://app.any.run/tasks/d4afc61b-983c-446f-994e-01d8b401a7c0
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 01, 2025, 22:48:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc confuser rat imminent
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	DFB2138BA9567F89ECC7EC2483E1DF0C
SHA1:	E848759964BBDE4E73028992CDC89527E1C318CE
SHA256:	6C7B6FAF5A493F036E6B69A0F4C9C7F1B86C068A56CE4D8D9A92C8EBDE0EAE99
SSDEEP:	98304:bkpqjhDeTRvEuXA1/pri9b4UhWl9WSykAPb4MN7O931gyLUyZgp/bPoP4ED:bPjhDeTR01/YF4Takw4MNPsZYDOD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts Visual C# compiler
  - Imminent Monitor 3.9.exe (PID: 7028)
- Imminent RAT is detected
  - Imminent-Server.exe (PID: 5392)
SUSPICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 748)
- Uses .NET C# to load dll
  - Imminent Monitor 3.9.exe (PID: 7028)
- Executable content was dropped or overwritten
  - csc.exe (PID: 7092)
  - IMBuilder.exe (PID: 2456)
  - csc.exe (PID: 640)
- Reads security settings of Internet Explorer
  - Imminent Monitor 3.9.exe (PID: 7028)
- Reads Internet Explorer settings
  - Imminent Monitor 3.9.exe (PID: 7028)
- Connects to unusual port
  - Imminent Monitor 3.9.exe (PID: 7028)
- Write to the desktop.ini file (may be used to cloak folders)
  - Imminent-Server.exe (PID: 5392)
INFO
- Manual execution by a user
  - Imminent Monitor 3.9.exe (PID: 7028)
  - IMBuilder.exe (PID: 6664)
  - IMBuilder.exe (PID: 2456)
  - Imminent-Server.exe (PID: 5392)
  - IMBuilder.exe (PID: 4804)
- Reads the machine GUID from the registry
  - Imminent Monitor 3.9.exe (PID: 7028)
  - csc.exe (PID: 7092)
  - cvtres.exe (PID: 7152)
  - csc.exe (PID: 640)
  - cvtres.exe (PID: 4556)
  - IMBuilder.exe (PID: 6664)
  - IMBuilder.exe (PID: 2456)
  - Imminent-Server.exe (PID: 5392)
  - IMBuilder.exe (PID: 4804)
- Checks supported languages
  - csc.exe (PID: 7092)
  - Imminent Monitor 3.9.exe (PID: 7028)
  - cvtres.exe (PID: 7152)
  - csc.exe (PID: 640)
  - cvtres.exe (PID: 4556)
  - IMBuilder.exe (PID: 6664)
  - IMBuilder.exe (PID: 2456)
  - IMBuilder.exe (PID: 4804)
  - Imminent-Server.exe (PID: 5392)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 748)
- Create files in a temporary directory
  - Imminent Monitor 3.9.exe (PID: 7028)
  - csc.exe (PID: 7092)
  - cvtres.exe (PID: 7152)
  - csc.exe (PID: 640)
  - cvtres.exe (PID: 4556)
- Reads the computer name
  - Imminent Monitor 3.9.exe (PID: 7028)
  - IMBuilder.exe (PID: 6664)
  - IMBuilder.exe (PID: 2456)
  - IMBuilder.exe (PID: 4804)
  - Imminent-Server.exe (PID: 5392)
- Confuser has been detected (YARA)
  - Imminent Monitor 3.9.exe (PID: 7028)
  - IMBuilder.exe (PID: 6664)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 6528)
- Process checks computer location settings
  - Imminent Monitor 3.9.exe (PID: 7028)
- Disables trace logs
  - Imminent-Server.exe (PID: 5392)
- Creates files or folders in the user directory
  - Imminent-Server.exe (PID: 5392)
- Checks proxy server information
  - Imminent-Server.exe (PID: 5392)
- Reads the software policy settings
  - Imminent-Server.exe (PID: 5392)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xpi	\|	Mozilla Firefox browser extension (66.6)
.zip	\|	ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2017:07:25 23:26:48
ZipCRC:	0x4874fc6c
ZipCompressedSize:	62
ZipUncompressedSize:	84
ZipFileName:	Imminent Monitor v3.9/8C1A0000.log

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

640

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\_wlefsi4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Imminent Monitor 3.9.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

8.0.50727.9149 (WinRelRS6.050727-9100)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

748

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Imminent Monitor v3.9.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1580

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2456

"C:\Users\admin\Desktop\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\IMBuilder.exe"

C:\Users\admin\Desktop\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\IMBuilder.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

IMBuilder

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\imminent monitor v3.9\builder (imminent monitor 4.1.0.0)\imbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

3832

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Imminent-Server.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3018.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3017.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

8.00.50727.9672 (WinRelRS6.050727-9100)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4804

"C:\Users\admin\Desktop\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\IMBuilder.exe"

C:\Users\admin\Desktop\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\IMBuilder.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

IMBuilder

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\imminent monitor v3.9\builder (imminent monitor 4.1.0.0)\imbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

5392

"C:\Users\admin\Desktop\Imminent-Server.exe"

C:\Users\admin\Desktop\Imminent-Server.exe

explorer.exe

User:

admin

Company:

Imminent Solutions

Integrity Level:

MEDIUM

Description:

Imminent Monitor Server

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\imminent-server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6412

"C:\Windows\System32\explorer.exe" /select, C:\Users\admin\Desktop\Imminent Monitor v3.9\hh.exe

C:\Windows\SysWOW64\explorer.exe

—

Imminent Monitor 3.9.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll

6528

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

Add for printing

Total events

17 054

Read events

16 945

Write events

106

Delete events

Modification events


(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Imminent Monitor v3.9.zip
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(748) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7028) Imminent Monitor 3.9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(7028) Imminent Monitor 3.9.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000110000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF

Add for printing

Executable files

Suspicious files

Text files

412

Unknown types

Dropped files

PID	Process	Filename		Type
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Builder (Imminent Monitor 3.9.0.0)\ImminentBuilder.exe		executable
		MD5:1B04AC944849488AD543636E1FD02DE7	SHA256:FEE4CE020777D27BF561A3C914619FCF77A4B7E1EC9202AD93461CED38C91C5B
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\ClientPlugin.dll		executable
		MD5:2B02DE4647260361B18DE39DF5AF1AC6	SHA256:94E757AAF2F333D53EB0DD4F941FBD445D36FC27383201D60B3C1073CAC20EC1
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\8C1A0000.log		text
		MD5:1163D1A6F35590B0DD53D66D949D9D7B	SHA256:78D8EA61E188FFB6F82064713895B2C4A056D41468EDE27178AC53DC1C218461
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\IMBuilder.exe		executable
		MD5:E65CE31A56C1E6E691E0A6F8E2C46002	SHA256:D1A67435A7CFB6A06026EA515D8D5DFB25051D91E3F5BA2BDB80F2AD6D84400B
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Imminent Monitor 3.9.exe		executable
		MD5:67EB6B75152046AEA39083F45D4E9492	SHA256:9078149DC6EE62AEA91749BA2DB9ABA15C9518F92BFE709B3BBA8523F92CD2E8
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Builder (Imminent Monitor 3.9.0.0)\dnlib.dll		executable
		MD5:FB1EF0C4EBDCC61C23C809B01B8AE6C8	SHA256:51B88F4042F301204D5E6C31A822A53C69918C82B1604DF67D97D879E95C1268
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Builder (Imminent Monitor 3.9.0.0)\Vestris.ResourceLib.dll		executable
		MD5:3048628799C10059424491E174851F91	SHA256:FADCF9B9F02B540B33C31817445456DC36E8AB2A066DFC3E63256B9706638399
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\Builder (Imminent Monitor 4.1.0.0)\dnlib.dll		executable
		MD5:0AB0C1BF5F465F5793E984B03303DE67	SHA256:D9085E523927AAF38D78C998AF8743AB59EE7AEFEE01A5ACB380E9E7F96864D3
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\CRACK INFO.txt		text
		MD5:1A804E8D3B4F6334E7D0F25371F3E582	SHA256:95C233833E84BF7A2E357D05ABF5B018BBE1D4ADA63E0A17C564CB08ED266B87
748	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa748.43539\Imminent Monitor v3.9\loader.log		text
		MD5:8BCF05365B0B48E11F694F89BCF413F2	SHA256:6AE863196E1AE95B6219882F75FDE8EA4DCB1D8EF4124F20D1E0B9B85A2831CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5400	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6840	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6840	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5392	Imminent-Server.exe	GET	301	104.26.1.222:80	http://www.iptrackeronline.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1076	svchost.exe	184.28.89.167:443	go.microsoft.com	AKAMAI-AS	US	whitelisted
1176	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5400	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
go.microsoft.com	184.28.89.167	whitelisted
login.live.com	20.190.159.23 40.126.31.128 20.190.159.130 40.126.31.1 20.190.159.129 20.190.159.71 20.190.159.131 20.190.159.2	whitelisted
ocsp.digicert.com	184.30.131.245 2.17.190.73	whitelisted
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted

Threats

PID	Process	Class	Message
5392	Imminent-Server.exe	Misc activity	ET INFO Observed IP Tracker Domain in TLS SNI

Add for printing

No debug info

General Info

Imminent Monitor v3.9.zip

DFB2138BA9567F89ECC7EC2483E1DF0C

E848759964BBDE4E73028992CDC89527E1C318CE

6C7B6FAF5A493F036E6B69A0F4C9C7F1B86C068A56CE4D8D9A92C8EBDE0EAE99

98304:bkpqjhDeTRvEuXA1/pri9b4UhWl9WSykAPb4MN7O931gyLUyZgp/bPoP4ED:bPjhDeTR01/YF4Takw4MNPsZYDOD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts Visual C# compiler

Imminent RAT is detected

SUSPICIOUS

Generic archive extractor

Uses .NET C# to load dll

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Connects to unusual port

Write to the desktop.ini file (may be used to cloak folders)

INFO

Manual execution by a user

Reads the machine GUID from the registry

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the computer name

Confuser has been detected (YARA)

Reads security settings of Internet Explorer

Process checks computer location settings

Disables trace logs

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings