File name:

netlimiter-5.3.23.0.zip

Full analysis: https://app.any.run/tasks/e4ac9183-e260-48e9-a94e-46fe10d9ec84
Verdict: Malicious activity
Analysis date: March 18, 2025, 19:27:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
advancedinstaller
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

73DFB44B3CD426D607E2EE65902FA618

SHA1:

35856E9FA9A32D9A1321833AC7EB576CA3DDEDFF

SHA256:

630FBADDA2DD6580B330D87444BFCBDDC2852D272AD3E6E31F789DA10388DB61

SSDEEP:

98304:q8JU3GnIT5JH4Ou//Ctorw66UffK52/KHq/ZpysOwaSJvNYn8Xg6C+OSnd/4Fe1y:rkDgsGW+VT4q8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4220)

    • Executing a file with an untrusted certificate

      • MADARA.exe (PID: 7012)
      • MADARA.exe (PID: 2432)

    • Starts NET.EXE for service management

      • MADARA.exe (PID: 2432)
      • net.exe (PID: 1116)
      • net.exe (PID: 496)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Executable content was dropped or overwritten

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • MADARA.exe (PID: 2432)

    • Adds/modifies Windows certificates

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Process drops legitimate windows executable

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 7496)
      • msiexec.exe (PID: 8036)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 7496)

    • Reads Internet Explorer settings

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Application launched itself

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • NLClientApp.exe (PID: 7292)

    • Detects AdvancedInstaller (YARA)

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • There is functionality for taking screenshot (YARA)

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Executes as Windows Service

      • VSSVC.exe (PID: 680)
      • NLSvc.exe (PID: 7568)
      • NLSvc.exe (PID: 4112)

    • Creates file in the systems drive root

      • MADARA.exe (PID: 2432)

    • The process creates files with name similar to system file names

      • netlimiter-5.3.23.0.exe (PID: 7904)

    • Drops a system driver (possible attempt to evade defenses)

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8036)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4220)
      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 8036)
      • msiexec.exe (PID: 7496)

    • Manual execution by a user

      • netlimiter-5.3.23.0.exe (PID: 7848)
      • netlimiter-5.3.23.0.exe (PID: 7904)
      • MADARA.exe (PID: 2432)
      • MADARA.exe (PID: 7012)
      • NLClientApp.exe (PID: 7844)
      • NLClientApp.exe (PID: 4012)

    • Checks supported languages

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 8036)
      • msiexec.exe (PID: 6268)
      • NLSvc.exe (PID: 7568)
      • NLSvc.exe (PID: 4112)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4220)
      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 8036)
      • msiexec.exe (PID: 7496)
      • netlimiter-5.3.23.0.exe (PID: 4620)

    • Reads Environment values

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • msiexec.exe (PID: 7496)

    • Reads the machine GUID from the registry

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • MADARA.exe (PID: 2432)
      • NLSvc.exe (PID: 7568)
      • NLClientApp.exe (PID: 7292)
      • NLClientApp.exe (PID: 4012)

    • Reads the computer name

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8036)
      • netlimiter-5.3.23.0.exe (PID: 4620)

    • Creates files or folders in the user directory

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)

    • Checks proxy server information

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)

    • Reads the software policy settings

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 3240)
      • netlimiter-5.3.23.0.exe (PID: 4620)
      • msiexec.exe (PID: 8036)
      • NLSvc.exe (PID: 7568)
      • NLClientApp.exe (PID: 7292)
      • NLClientApp.exe (PID: 4012)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8120)
      • BackgroundTransferHost.exe (PID: 3240)
      • BackgroundTransferHost.exe (PID: 7240)
      • BackgroundTransferHost.exe (PID: 7632)

    • Create files in a temporary directory

      • netlimiter-5.3.23.0.exe (PID: 7904)
      • msiexec.exe (PID: 8180)
      • netlimiter-5.3.23.0.exe (PID: 4620)

    • Manages system restore points

      • SrTasks.exe (PID: 7640)

    • Creates files in the program directory

      • NLSvc.exe (PID: 7568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2025:03:14 03:42:20
ZipCRC: 0x1c0dd40f
ZipCompressedSize: 8542198
ZipUncompressedSize: 10771616
ZipFileName: netlimiter-5.3.23.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
37
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe netlimiter-5.3.23.0.exe no specs netlimiter-5.3.23.0.exe msiexec.exe backgroundtransferhost.exe no specs msiexec.exe backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs netlimiter-5.3.23.0.exe vssvc.exe no specs rundll32.exe no specs madara.exe no specs madara.exe srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs nlsvc.exe no specs conhost.exe no specs nlsvc.exe nlclientapp.exe no specs slui.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs nlsvc.exe no specs shellexperiencehost.exe no specs nlclientapp.exe no specs nlclientapp.exe no specs nlsvcclicnncheck.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Windows\System32\net.exe" start nlsvcC:\Windows\SysWOW64\net.exeMADARA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Windows\System32\net.exe" stop nlsvcC:\Windows\SysWOW64\net.exeMADARA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2432"C:\Users\admin\Desktop\Patch\MADARA.exe" C:\Users\admin\Desktop\Patch\MADARA.exe
explorer.exe
User:
admin
Company:
Cracking the code 4 fun!
Integrity Level:
HIGH
Description:
Project X
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\patch\madara.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3240"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4012"C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe" C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exeexplorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
MEDIUM
Description:
NetLimiter Client
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlclientapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4112"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exeservices.exe
User:
SYSTEM
Company:
Locktime Software
Integrity Level:
SYSTEM
Description:
NLSvc
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4172"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4220"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4620"C:\Users\admin\Desktop\netlimiter-5.3.23.0.exe" /i C:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="7904" AI_MORE_CMD_LINE=1C:\Users\admin\Desktop\netlimiter-5.3.23.0.exe
netlimiter-5.3.23.0.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\desktop\netlimiter-5.3.23.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
45 450
Read events
44 890
Write events
532
Delete events
28

Modification events

(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0.zip
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4220) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7904) netlimiter-5.3.23.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(7904) netlimiter-5.3.23.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
Executable files
505
Suspicious files
73
Text files
110
Unknown types
0

Dropped files

PID
Process
Filename
Type
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\holder0.aiph
MD5:
SHA256:
4220WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4220.38297\Patch\Patch-MADARA.rarcompressed
MD5:2FD2F9E4AE73749C38F6931C0BA3FA2C
SHA256:E1D796F236EAD8121724677852D856387C10E21ABAD60A5FC97E760CEBF42CEF
4220WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4220.38297\netlimiter-5.3.23.0.exeexecutable
MD5:1C4E30C0277FFAF4B8D5BC23DD642BE9
SHA256:DB894051FE03939EB04318DC763D58A480ECFE2527A76B388C89D7556303C594
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msiexecutable
MD5:0FD447E7043F012F7CECB3C3F194BC62
SHA256:259F8E166C62E872AE1006BE3956D737555B8173E4FCB4C16175CB6FA97B5C41
4220WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4220.38297\Patch\MADARA.exeexecutable
MD5:09216B5463A1E0BDAEF49C69EA7DB162
SHA256:8F3E0D26DD7D92DB2F404996A080721977FFDD458526348414C75867A8615E3C
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:07011C5C5506EC5A9714099BBEAF3963
SHA256:D48A7B4863026FF84FE51AF8DC76EA0E3C300F99761D4A3FA8CAFAAA0BABB8B4
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:63EDB52F717658CDA31EFF493EB6F4C2
SHA256:A82EE7965750D8262EA4DFF2C6135116F072BB7BFA572EC8B509AA96E4E116D4
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7904\backgroundimage
MD5:A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA256:F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\MSI104B.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
7904netlimiter-5.3.23.0.exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.msiexecutable
MD5:755217DE39003A7C5F4B8BAE6174B770
SHA256:ECBC4778A5DF0FD62694F950C91CDA795CD3FC77B9F1D200469AB96712FB1C5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
35
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7904
netlimiter-5.3.23.0.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
7904
netlimiter-5.3.23.0.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3240
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7976
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7568
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
7568
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3676
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.140
  • 23.48.23.161
  • 23.48.23.145
  • 23.48.23.158
  • 23.48.23.146
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 20.197.71.89
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.1
  • 40.126.31.0
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.129
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
www.bing.com
  • 92.123.104.33
  • 92.123.104.6
  • 92.123.104.62
  • 92.123.104.46
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.43
  • 92.123.104.64
  • 92.123.104.47
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netlimiter-5.3.23.0.zip