File name:

HidHide_1.5.212_x64.exe

Full analysis: https://app.any.run/tasks/4ba6cc15-4a2d-4622-842f-22de29340447
Verdict: Malicious activity
Analysis date: August 03, 2025, 21:00:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

BDBA9D05FC40BCAE71D344802C6CC2F7

SHA1:

9757F9ABB56E1ACF24128046910441BCF903CEAD

SHA256:

2093D5422C2C009911098E2B03101A349FAE2BE834A7F972BA3EF40C781EDE38

SSDEEP:

98304:loLfIHceJw1fOHuwjNYGy+6YBBm9we6+hyxk8Ud+EhQvkcFJmELMQ8VHp8b3iAog:lSGjo7RHO0e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 4308)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Reads security settings of Internet Explorer

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • ADVANCEDINSTALLER mutex has been found

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)

    • Executable content was dropped or overwritten

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)
      • nefarius_HidHide_Updater.exe (PID: 4308)

    • Detects AdvancedInstaller (YARA)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Reads Internet Explorer settings

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • There is functionality for taking screenshot (YARA)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)

    • Application launched itself

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • updater.exe (PID: 4156)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5496)
      • HidHideWatchdog.exe (PID: 5432)

    • Drops a system driver (possible attempt to evade defenses)

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 6224)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)

    • Creates files in the driver directory

      • drvinst.exe (PID: 4084)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4512)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 4308)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)

  • INFO

    • The sample compiled with english language support

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)

    • Reads the computer name

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 1636)
      • msiexec.exe (PID: 6224)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 3636)
      • HidHideWatchdog.exe (PID: 5432)
      • nefconw.exe (PID: 5252)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)
      • nefconw.exe (PID: 6636)
      • drvinst.exe (PID: 4512)
      • nefconw.exe (PID: 3956)
      • nefconw.exe (PID: 6268)
      • nefarius_HidHide_Updater.exe (PID: 4308)
      • nefarius_HidHide_Updater.exe (PID: 4684)
      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)
      • nefarius_HidHide_Updater.exe (PID: 6028)

    • Checks supported languages

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 6224)
      • msiexec.exe (PID: 1636)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 3636)
      • HidHideWatchdog.exe (PID: 5432)
      • nefconw.exe (PID: 5252)
      • nefconw.exe (PID: 2384)
      • drvinst.exe (PID: 4084)
      • drvinst.exe (PID: 4512)
      • nefconw.exe (PID: 6636)
      • nefconw.exe (PID: 3956)
      • nefarius_HidHide_Updater.exe (PID: 4308)
      • nefarius_HidHide_Updater.exe (PID: 4684)
      • PLUGScheduler.exe (PID: 4132)
      • updater.exe (PID: 4156)
      • nefconw.exe (PID: 6268)
      • nefarius_HidHide_Updater.exe (PID: 6028)
      • updater.exe (PID: 4324)

    • Creates files in the program directory

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • PLUGScheduler.exe (PID: 4132)
      • nefarius_HidHide_Updater.exe (PID: 4308)

    • Reads Environment values

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • msiexec.exe (PID: 1636)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 3636)

    • Reads the software policy settings

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)

    • Creates files or folders in the user directory

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Reads the machine GUID from the registry

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • msiexec.exe (PID: 6224)
      • drvinst.exe (PID: 4084)

    • Create files in a temporary directory

      • HidHide_1.5.212_x64.exe (PID: 1096)
      • HidHide_1.5.212_x64.exe (PID: 6176)
      • nefconw.exe (PID: 2384)

    • Checks proxy server information

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Process checks computer location settings

      • HidHide_1.5.212_x64.exe (PID: 1096)

    • Manages system restore points

      • SrTasks.exe (PID: 1520)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6224)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6224)

    • Launching a file from a Registry key

      • nefarius_HidHide_Updater.exe (PID: 4308)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 4684)
      • nefarius_HidHide_Updater.exe (PID: 6028)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.212.0
ProductVersionNumber: 1.5.212.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.212
InternalName: HidHide_1.5.212_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.212_x64.exe
ProductName: HidHide
ProductVersion: 1.5.212
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
294
Monitored processes
23
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hidhide_1.5.212_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.212_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe nefarius_hidhide_updater.exe hidhidewatchdog.exe no specs plugscheduler.exe no specs updater.exe no specs updater.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Users\admin\Desktop\HidHide_1.5.212_x64.exe" C:\Users\admin\Desktop\HidHide_1.5.212_x64.exe
explorer.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
MEDIUM
Description:
HidHide Installer
Exit code:
0
Version:
1.5.212
Modules
Images
c:\users\admin\desktop\hidhide_1.5.212_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
1520C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1636C:\Windows\syswow64\MsiExec.exe -Embedding 6A4F328402752BBF7D0CD238B7185C0F CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2292\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --install-driver --inf-path "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\HidHide.inf"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
3000"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideWatchdog.exe"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideWatchdog.exeservices.exe
User:
SYSTEM
Company:
Nefarius Software Solutions e.U.
Integrity Level:
SYSTEM
Description:
HidHide Watchdog service for configuration integrity
Version:
1.5.212.0
Modules
Images
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\devobj.dll
3636C:\Windows\syswow64\MsiExec.exe -Embedding 87B187729EA3531A3DD2CE5ED8103972C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3956"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4084DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{b1f7c6e1-8103-834b-82d4-cf5894b53b09}\HidHide.inf" "9" "49f2aa4cb" "00000000000001C0" "WinSta0\Default" "00000000000001E4" "208" "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
4132"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
Total events
17 043
Read events
16 713
Write events
295
Delete events
35

Modification events

(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DE7FA7B7B904DC0150180000EC120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DE7FA7B7B904DC0150180000EC120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000011E3A9B7B904DC0150180000EC120000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000ADAAAEB7B904DC0150180000EC120000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000035B0E0B7B904DC0150180000EC120000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000CE69F1B7B904DC0178150000440D0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000022CDF3B7B904DC017815000038050000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000022CDF3B7B904DC0178150000BC000000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D6E48AB7B904DC0150180000EC120000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D6E48AB7B904DC0150180000EC120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
48
Suspicious files
84
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
1096HidHide_1.5.212_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.212\install\holder0.aiph
MD5:
SHA256:
1096HidHide_1.5.212_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.212\install\FD6A45B\HidHide.msiexecutable
MD5:8B51A36E4DD2AB392B360572833C9751
SHA256:EF367FAD8E300D87E0D440228C6DD328E5E8EF7D9B14EB96C6D8BE520C610E79
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C5DC100838A8EBE3DE161002626F620F
SHA256:07E6B0704BBEC0B2E9815A720D6A3148C05DDFC0E4A3DDB0F7B513A583C9074E
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:854DAEEB1EA0E1DCA38A404BE081EE52
SHA256:D192BAC854162E4A800836FFA395D08737759DDF3BEE3316B496140A3442C5D8
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\shiDD1C.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:533D6E2FA878DA79FE229015B7E1E1CF
SHA256:8BA2AB74ED30EF2B6592959849A21299D71D594375A0C1592C0BBEC7E860124D
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDD4C.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:DD88CDB88485A0A80A90DB14DCA3AD60
SHA256:487F5EDA03F7EC023F982264BDFB394D6C6B3D7D40970961D1A92D27C4BE419B
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\Local\Temp\MSIDE1A.tmpexecutable
MD5:65B853552E16654C53AB4D16920A9182
SHA256:80C5E769470BB98C5B1EC3BE0A9A51F0821C67E9ADC7E3E254BBC41183CEB76F
1096HidHide_1.5.212_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:AB2344B473400705D482092336C2D36E
SHA256:E225DC1F0A80B6B692B0F39138115718715924599FB7B58266CFEDC09B2D66EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
39
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3768
RUXIMICS.exe
GET
200
23.48.23.157:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1096
HidHide_1.5.212_x64.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3768
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
182 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3768
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1096
HidHide_1.5.212_x64.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3768
RUXIMICS.exe
23.48.23.157:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.48.23.157
  • 23.48.23.153
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.155
  • 23.48.23.146
  • 23.48.23.156
  • 23.48.23.149
  • 23.48.23.147
  • 23.48.23.137
  • 23.48.23.140
  • 23.48.23.145
  • 23.48.23.134
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown
watson.events.data.microsoft.com
  • 135.233.45.223
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
  • 52.168.117.171
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted

Threats

No threats detected
Process
Message
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.463] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.464] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:15.485] [vicius-updater] [info] Installation tasks finished successfully
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.520] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.520] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.532] [vicius-updater] [error] RegisterTaskDefinition failed with Access is denied.
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.533] [vicius-updater] [error] Failed to (re-)create Scheduled Task, error: Error saving the Task, HRESULT: Access is denied.
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.575] [vicius-updater] [error] GET request failed with code 35
nefarius_HidHide_Updater.exe
[2025-08-03 21:01:17.575] [vicius-updater] [critical] Failed to get server response
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.212_x64.exe