File name:

HidHide_1.5.212_x64.exe

Full analysis: https://app.any.run/tasks/4ba6cc15-4a2d-4622-842f-22de29340447
Verdict: Malicious activity
Analysis date: August 03, 2025, 21:00:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

BDBA9D05FC40BCAE71D344802C6CC2F7

SHA1:

9757F9ABB56E1ACF24128046910441BCF903CEAD

SHA256:

2093D5422C2C009911098E2B03101A349FAE2BE834A7F972BA3EF40C781EDE38

SSDEEP:

98304:loLfIHceJw1fOHuwjNYGy+6YBBm9we6+hyxk8Ud+EhQvkcFJmELMQ8VHp8b3iAog:lSGjo7RHO0e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 4308)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • ADVANCEDINSTALLER mutex has been found

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)

    • Process drops legitimate windows executable

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Executable content was dropped or overwritten

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)
      • nefarius_HidHide_Updater.exe (PID: 4308)

    • Detects AdvancedInstaller (YARA)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Application launched itself

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • updater.exe (PID: 4156)

    • There is functionality for taking screenshot (YARA)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5496)
      • HidHideWatchdog.exe (PID: 5432)

    • Reads Internet Explorer settings

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Drops a system driver (possible attempt to evade defenses)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)
      • nefconw.exe (PID: 2384)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4084)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4512)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 4308)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)

  • INFO

    • Checks supported languages

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 6224)
      • msiexec.exe (PID: 1636)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • HidHideWatchdog.exe (PID: 5432)
      • nefconw.exe (PID: 2384)
      • nefconw.exe (PID: 5252)
      • msiexec.exe (PID: 3636)
      • drvinst.exe (PID: 4084)
      • drvinst.exe (PID: 4512)
      • nefconw.exe (PID: 6636)
      • nefarius_HidHide_Updater.exe (PID: 4308)
      • nefarius_HidHide_Updater.exe (PID: 4684)
      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)
      • nefconw.exe (PID: 6268)
      • nefconw.exe (PID: 3956)
      • updater.exe (PID: 4324)
      • nefarius_HidHide_Updater.exe (PID: 6028)

    • The sample compiled with english language support

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)
      • nefconw.exe (PID: 2384)

    • Creates files in the program directory

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • nefarius_HidHide_Updater.exe (PID: 4308)
      • PLUGScheduler.exe (PID: 4132)

    • Reads the machine GUID from the registry

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)

    • Reads the software policy settings

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)

    • Reads the computer name

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 6224)
      • msiexec.exe (PID: 1636)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 3636)
      • HidHideWatchdog.exe (PID: 5432)
      • nefconw.exe (PID: 5252)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)
      • drvinst.exe (PID: 4512)
      • nefconw.exe (PID: 6636)
      • nefconw.exe (PID: 3956)
      • nefconw.exe (PID: 6268)
      • nefarius_HidHide_Updater.exe (PID: 4308)
      • nefarius_HidHide_Updater.exe (PID: 4684)
      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)
      • nefarius_HidHide_Updater.exe (PID: 6028)

    • Checks proxy server information

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Reads Environment values

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 1636)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 3636)

    • Creates files or folders in the user directory

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Create files in a temporary directory

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • nefconw.exe (PID: 2384)

    • Process checks computer location settings

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6224)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6224)

    • Manages system restore points

      • SrTasks.exe (PID: 1520)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 4684)
      • nefarius_HidHide_Updater.exe (PID: 6028)

    • Launching a file from a Registry key

      • nefarius_HidHide_Updater.exe (PID: 4308)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.212.0
ProductVersionNumber: 1.5.212.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.212
InternalName: HidHide_1.5.212_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.212_x64.exe
ProductName: HidHide
ProductVersion: 1.5.212
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
294
Monitored processes
23
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hidhide_1.5.212_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.212_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe nefarius_hidhide_updater.exe hidhidewatchdog.exe no specs plugscheduler.exe no specs updater.exe no specs updater.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Users\admin\Desktop\HidHide_1.5.212_x64.exe" C:\Users\admin\Desktop\HidHide_1.5.212_x64.exe
explorer.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
MEDIUM
Description:
HidHide Installer
Exit code:
0
Version:
1.5.212
Modules
Images
c:\users\admin\desktop\hidhide_1.5.212_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
1520C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1636C:\Windows\syswow64\MsiExec.exe -Embedding 6A4F328402752BBF7D0CD238B7185C0F CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2292\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --install-driver --inf-path "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\HidHide.inf"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
3000"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideWatchdog.exe"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideWatchdog.exeservices.exe
User:
SYSTEM
Company:
Nefarius Software Solutions e.U.
Integrity Level:
SYSTEM
Description:
HidHide Watchdog service for configuration integrity
Version:
1.5.212.0
Modules
Images
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\devobj.dll
3636C:\Windows\syswow64\MsiExec.exe -Embedding 87B187729EA3531A3DD2CE5ED8103972C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3956"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4084DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{b1f7c6e1-8103-834b-82d4-cf5894b53b09}\HidHide.inf" "9" "49f2aa4cb" "00000000000001C0" "WinSta0\Default" "00000000000001E4" "208" "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
4132"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
Total events
17 043
Read events
16 713
Write events
295
Delete events
35

Modification events

(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DE7FA7B7B904DC0150180000EC120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DE7FA7B7B904DC0150180000EC120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000011E3A9B7B904DC0150180000EC120000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000ADAAAEB7B904DC0150180000EC120000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000035B0E0B7B904DC0150180000EC120000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000CE69F1B7B904DC0178150000440D0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000022CDF3B7B904DC017815000038050000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000022CDF3B7B904DC0178150000BC000000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D6E48AB7B904DC0150180000EC120000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D6E48AB7B904DC0150180000EC120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
48
Suspicious files
84
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
1096HidHide_1.5.212_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.212\install\holder0.aiph
MD5:
SHA256:
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1096\dialog.jpgimage
MD5:5F6253CFF5A8B031BFB3B161079D0D86
SHA256:36D9BAB35D1E4B50045BF902F5D42B6F865488C75F6E60FC00A6CD6F69034AB0
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDE9B.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\shiDD1C.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDE1A.tmpexecutable
MD5:65B853552E16654C53AB4D16920A9182
SHA256:80C5E769470BB98C5B1EC3BE0A9A51F0821C67E9ADC7E3E254BBC41183CEB76F
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:AB2344B473400705D482092336C2D36E
SHA256:E225DC1F0A80B6B692B0F39138115718715924599FB7B58266CFEDC09B2D66EC
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1096\completiimage
MD5:C23AF89757665BC0386FD798A61B2112
SHA256:031ED0378F819926D7B5B2C6C9367A0FB1CBAE40E1A3959E2652FE30A47D52F2
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDE2B.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDDAB.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C5DC100838A8EBE3DE161002626F620F
SHA256:07E6B0704BBEC0B2E9815A720D6A3148C05DDFC0E4A3DDB0F7B513A583C9074E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
39
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
unknown
whitelisted
3768
RUXIMICS.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3768
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
182 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3768
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1096
HidHide_1.5.212_x64.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3768
RUXIMICS.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.48.23.157
  • 23.48.23.153
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.155
  • 23.48.23.146
  • 23.48.23.156
  • 23.48.23.149
  • 23.48.23.147
  • 23.48.23.137
  • 23.48.23.140
  • 23.48.23.145
  • 23.48.23.134
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown
watson.events.data.microsoft.com
  • 135.233.45.223
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
  • 52.168.117.171
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted

Threats

No threats detected
Process
Message
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.463] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.464] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.485] [vicius-updater] [info] Installation tasks finished successfully
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.520] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.520] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.532] [vicius-updater] [error] RegisterTaskDefinition failed with Access is denied.
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.533] [vicius-updater] [error] Failed to (re-)create Scheduled Task, error: Error saving the Task, HRESULT: Access is denied.
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.575] [vicius-updater] [error] GET request failed with code 35
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.575] [vicius-updater] [critical] Failed to get server response
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.212_x64.exe