File name:

netlimiter-5.3.23.0.zip

Full analysis: https://app.any.run/tasks/e4ac9183-e260-48e9-a94e-46fe10d9ec84
Verdict: Malicious activity
Analysis date: March 18, 2025, 19:27:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
advancedinstaller
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

73DFB44B3CD426D607E2EE65902FA618

SHA1:

35856E9FA9A32D9A1321833AC7EB576CA3DDEDFF

SHA256:

630FBADDA2DD6580B330D87444BFCBDDC2852D272AD3E6E31F789DA10388DB61

SSDEEP:

98304:q8JU3GnIT5JH4Ou//Ctorw66UffK52/KHq/ZpysOwaSJvNYn8Xg6C+OSnd/4Fe1y:rkDgsGW+VT4q8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4220)

    • Executing a file with an untrusted certificate

      • MADARA.exe (PID: 7012)
      • MADARA.exe (PID: 2432)

    • Starts NET.EXE for service management

      • net.exe (PID: 496)
      • MADARA.exe (PID: 2432)
      • net.exe (PID: 1116)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Executable content was dropped or overwritten

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • MADARA.exe (PID: 2432)

    • Adds/modifies Windows certificates

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Process drops legitimate windows executable

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 7496)
      • msiexec.exe (PID: 8036)

    • Reads Internet Explorer settings

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • NLClientApp.exe (PID: 7292)

    • Application launched itself

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 7496)

    • Executes as Windows Service

      • VSSVC.exe (PID: 680)
      • NLSvc.exe (PID: 7568)
      • NLSvc.exe (PID: 4112)

    • There is functionality for taking screenshot (YARA)

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Creates file in the systems drive root

      • MADARA.exe (PID: 2432)

    • Detects AdvancedInstaller (YARA)

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 8036)
      • netlimiter-5.3.23.0.exe (PID: 7904)

    • The process creates files with name similar to system file names

      • netlimiter-5.3.23.0.exe (PID: 7904)

  • INFO

    • Manual execution by a user

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • netlimiter-5.3.23.0.exe (PID: 7848)
      • MADARA.exe (PID: 2432)
      • MADARA.exe (PID: 7012)
      • NLClientApp.exe (PID: 7844)
      • NLClientApp.exe (PID: 4012)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4220)
      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 8036)
      • msiexec.exe (PID: 7496)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4220)
      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 8036)
      • msiexec.exe (PID: 7496)

    • Checks supported languages

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 6268)
      • NLSvc.exe (PID: 7568)
      • msiexec.exe (PID: 8036)
      • NLSvc.exe (PID: 4112)

    • Reads Environment values

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 7496)

    • Reads the computer name

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8036)
      • netlimiter-5.3.23.0.exe (PID: 4620)

    • Reads the machine GUID from the registry

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • MADARA.exe (PID: 2432)
      • NLSvc.exe (PID: 7568)
      • NLClientApp.exe (PID: 7292)
      • NLClientApp.exe (PID: 4012)

    • Creates files or folders in the user directory

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)

    • Reads the software policy settings

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 8036)
      • NLSvc.exe (PID: 7568)
      • NLClientApp.exe (PID: 7292)
      • NLClientApp.exe (PID: 4012)

    • Checks proxy server information

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8120)
      • BackgroundTransferHost.exe (PID: 3240)
      • BackgroundTransferHost.exe (PID: 7632)
      • BackgroundTransferHost.exe (PID: 7240)

    • Create files in a temporary directory

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)

    • Manages system restore points

      • SrTasks.exe (PID: 7640)

    • Creates files in the program directory

      • NLSvc.exe (PID: 7568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2025:03:14 03:42:20
ZipCRC: 0x1c0dd40f
ZipCompressedSize: 8542198
ZipUncompressedSize: 10771616
ZipFileName: netlimiter-5.3.23.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
37
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe netlimiter-5.3.23.0.exe no specs netlimiter-5.3.23.0.exe msiexec.exe backgroundtransferhost.exe no specs msiexec.exe backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs netlimiter-5.3.23.0.exe vssvc.exe no specs rundll32.exe no specs madara.exe no specs madara.exe srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs nlsvc.exe no specs conhost.exe no specs nlsvc.exe nlclientapp.exe no specs slui.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs nlsvc.exe no specs shellexperiencehost.exe no specs nlclientapp.exe no specs nlclientapp.exe no specs nlsvcclicnncheck.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Windows\System32\net.exe" start nlsvcC:\Windows\SysWOW64\net.exeMADARA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Windows\System32\net.exe" stop nlsvcC:\Windows\SysWOW64\net.exeMADARA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2432"C:\Users\admin\Desktop\Patch\MADARA.exe" C:\Users\admin\Desktop\Patch\MADARA.exe
explorer.exe
User:
admin
Company:
Cracking the code 4 fun!
Integrity Level:
HIGH
Description:
Project X
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\patch\madara.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3240"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4012"C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe" C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exeexplorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
MEDIUM
Description:
NetLimiter Client
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlclientapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4112"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exeservices.exe
User:
SYSTEM
Company:
Locktime Software
Integrity Level:
SYSTEM
Description:
NLSvc
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4172"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4220"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4620"C:\Users\admin\Desktop\netlimiter-5.3.23.0.exe" /i C:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="7904" AI_MORE_CMD_LINE=1C:\Users\admin\Desktop\netlimiter-5.3.23.0.exe
netlimiter-5.3.23.0.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\desktop\netlimiter-5.3.23.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
45 450
Read events
44 890
Write events
532
Delete events
28

Modification events

(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7904) netlimiter-5.3.23.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(7904) netlimiter-5.3.23.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
Executable files
505
Suspicious files
73
Text files
110
Unknown types
0

Dropped files

PID
Process
Filename
Type
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\holder0.aiph
MD5:
SHA256:
4220WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4220.38297\Patch\MADARA.exeexecutable
MD5:09216B5463A1E0BDAEF49C69EA7DB162
SHA256:8F3E0D26DD7D92DB2F404996A080721977FFDD458526348414C75867A8615E3C
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msiexecutable
MD5:0FD447E7043F012F7CECB3C3F194BC62
SHA256:259F8E166C62E872AE1006BE3956D737555B8173E4FCB4C16175CB6FA97B5C41
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.msiexecutable
MD5:755217DE39003A7C5F4B8BAE6174B770
SHA256:ECBC4778A5DF0FD62694F950C91CDA795CD3FC77B9F1D200469AB96712FB1C5A
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\MSI104B.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7904\remove.pngimage
MD5:897B1844BCA99F42FA3D527FF2091133
SHA256:3A05E6DECEA8E68C1946E82AB0F9197715D579B6B199F3A69BD958B7327D0BFE
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7904\whitebackgroundimage
MD5:EB93C0ABAE8A7DE7AE6DC3755B12C802
SHA256:EDA260871BBA09273B71A165DC8B4F254B186046AB383722DC2D8803FA698725
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:93A0D84CE2535A4DAE6E2F994760B8D1
SHA256:7AD22CA6EBC6B2D488E4889E6820D08335F9709FA7DBCBCDE1C15946952CA08B
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7904\frame_bottom_left.bmpimage
MD5:1FB3755FE9676FCA35B8D3C6A8E80B45
SHA256:384EBD5800BECADF3BD9014686E6CC09344F75CE426E966D788EB5473B28AA21
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7904\repair.pngimage
MD5:CE23E801FACF4DC9980692913ECC5FB3
SHA256:A8856BD3783A5FC30504FD8AFCFABAA8295ECEFC0D91E5CDD00453F2137495D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
35
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7904
netlimiter-5.3.23.0.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
7904
netlimiter-5.3.23.0.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
3240
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7976
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7568
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
7568
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.140
  • 23.48.23.161
  • 23.48.23.145
  • 23.48.23.158
  • 23.48.23.146
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 20.197.71.89
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.1
  • 40.126.31.0
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.129
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
www.bing.com
  • 92.123.104.33
  • 92.123.104.6
  • 92.123.104.62
  • 92.123.104.46
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.43
  • 92.123.104.64
  • 92.123.104.47
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netlimiter-5.3.23.0.zip