URL:

https://hide.me/en/

Full analysis: https://app.any.run/tasks/cc93984c-1ae9-4d74-93d6-5b0b6a8c20bc
Verdict: Malicious activity
Analysis date: June 10, 2025, 19:00:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
delphi
inno
installer
Indicators:
MD5:

C6C27CD6E83155BE6BD915E15A17942C

SHA1:

4945A2B395DBF247564F153CEDFFFA00185D5DC7

SHA256:

B3F89EF353A956126E5ED7BDD2866C1E1F7B5CA478C43E0D40FB548314A2D477

SSDEEP:

3:N8w28AvKn:2wp9n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • NetRuntimeInstaller.exe (PID: 8164)

    • Executable content was dropped or overwritten

      • Hide.me-Setup-4.3.1.exe (PID: 3588)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • NetRuntimeInstaller.exe (PID: 8064)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • NetRuntimeInstaller.exe (PID: 8164)
      • NetRuntimeInstaller86.exe (PID: 2468)
      • NetRuntimeInstaller86.exe (PID: 6128)
      • windowsdesktop-runtime-6.0.36-win-x86.exe (PID: 7224)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • drvinst.exe (PID: 3576)
      • drvinst.exe (PID: 6308)
      • hidemesvc.exe (PID: 7820)

    • Reads the Windows owner or organization settings

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • msiexec.exe (PID: 6672)

    • Starts a Microsoft application from unusual location

      • NetRuntimeInstaller.exe (PID: 8064)
      • NetRuntimeInstaller.exe (PID: 8164)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • NetRuntimeInstaller86.exe (PID: 6128)
      • windowsdesktop-runtime-6.0.36-win-x86.exe (PID: 7224)
      • NetRuntimeInstaller86.exe (PID: 2468)

    • Process drops legitimate windows executable

      • NetRuntimeInstaller.exe (PID: 8064)
      • NetRuntimeInstaller.exe (PID: 8164)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • msiexec.exe (PID: 6672)
      • NetRuntimeInstaller86.exe (PID: 2468)
      • NetRuntimeInstaller86.exe (PID: 6128)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • windowsdesktop-runtime-6.0.36-win-x86.exe (PID: 7224)

    • Starts itself from another location

      • NetRuntimeInstaller.exe (PID: 8164)
      • NetRuntimeInstaller86.exe (PID: 6128)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)

    • Searches for installed software

      • NetRuntimeInstaller.exe (PID: 8164)

    • There is functionality for taking screenshot (YARA)

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 6672)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6672)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)

    • Drops a system driver (possible attempt to evade defenses)

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 6672)
      • drvinst.exe (PID: 3576)
      • drvinst.exe (PID: 6308)
      • hidemesvc.exe (PID: 7820)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7480)
      • hidemesvc.exe (PID: 7820)

    • Application launched itself

      • msiexec.exe (PID: 6672)

    • Creates a new Windows service

      • sc.exe (PID: 4312)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4808)

    • Uses powercfg.exe to modify the power settings

      • hidemesvc.exe (PID: 7820)

  • INFO

    • Launching a file from the Downloads directory

      • firefox.exe (PID: 6004)

    • Application launched itself

      • firefox.exe (PID: 6612)
      • firefox.exe (PID: 6004)

    • Checks supported languages

      • Hide.me-Setup-4.3.1.exe (PID: 3588)
      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • NetRuntimeInstaller.exe (PID: 8064)
      • NetRuntimeInstaller.exe (PID: 8164)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 7568)
      • msiexec.exe (PID: 4216)
      • msiexec.exe (PID: 5060)
      • msiexec.exe (PID: 4752)

    • Create files in a temporary directory

      • Hide.me-Setup-4.3.1.exe (PID: 3588)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • NetRuntimeInstaller.exe (PID: 8164)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)

    • Process checks computer location settings

      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • NetRuntimeInstaller.exe (PID: 8164)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6004)
      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 7876)

    • Reads the computer name

      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • NetRuntimeInstaller.exe (PID: 8164)
      • NetRuntimeInstaller.exe (PID: 8064)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 7568)
      • msiexec.exe (PID: 4216)
      • msiexec.exe (PID: 4752)
      • msiexec.exe (PID: 5060)

    • Checks proxy server information

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)

    • Reads the machine GUID from the registry

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • msiexec.exe (PID: 6672)

    • Detects InnoSetup installer (YARA)

      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • Hide.me-Setup-4.3.1.exe (PID: 3588)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)

    • Reads the software policy settings

      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • msiexec.exe (PID: 6672)

    • Compiled with Borland Delphi (YARA)

      • Hide.me-Setup-4.3.1.exe (PID: 3588)
      • Hide.me-Setup-4.3.1.tmp (PID: 2320)
      • Hide.me-Setup-4.3.1.exe (PID: 7980)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)

    • The sample compiled with english language support

      • NetRuntimeInstaller.exe (PID: 8064)
      • NetRuntimeInstaller.exe (PID: 8164)
      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)
      • msiexec.exe (PID: 6672)
      • NetRuntimeInstaller86.exe (PID: 2468)
      • NetRuntimeInstaller86.exe (PID: 6128)
      • Hide.me-Setup-4.3.1.tmp (PID: 7996)
      • windowsdesktop-runtime-6.0.36-win-x86.exe (PID: 7224)
      • msiexec.exe (PID: 7876)
      • drvinst.exe (PID: 3576)
      • drvinst.exe (PID: 6308)
      • hidemesvc.exe (PID: 7820)

    • Creates files in the program directory

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)

    • Launching a file from a Registry key

      • windowsdesktop-runtime-6.0.36-win-x64.exe (PID: 6356)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6672)

    • Manages system restore points

      • SrTasks.exe (PID: 3900)
      • SrTasks.exe (PID: 1564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
55
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs hide.me-setup-4.3.1.exe hide.me-setup-4.3.1.tmp no specs hide.me-setup-4.3.1.exe hide.me-setup-4.3.1.tmp slui.exe netruntimeinstaller.exe netruntimeinstaller.exe windowsdesktop-runtime-6.0.36-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs netruntimeinstaller86.exe netruntimeinstaller86.exe windowsdesktop-runtime-6.0.36-win-x86.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs drvinst.exe msiexec.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe hidemesvc.exe conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs hidemesvc.exe hide.me.exe powercfg.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4584 -prefsLen 44905 -prefMapHandle 4580 -prefMapSize 272997 -ipcHandle 4600 -initialChannelId {d6b60c69-24c8-420a-be84-6a097e94e8d5} -parentPid 6004 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6004" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
1564C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2216C:\Windows\System32\MsiExec.exe -Embedding 8FD975C5E0D709AD80875C5C8EBAB173C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2320"C:\Users\admin\AppData\Local\Temp\is-IPPG0.tmp\Hide.me-Setup-4.3.1.tmp" /SL5="$50310,17959630,856064,C:\Users\admin\Downloads\Hide.me-Setup-4.3.1.exe" C:\Users\admin\AppData\Local\Temp\is-IPPG0.tmp\Hide.me-Setup-4.3.1.tmpHide.me-Setup-4.3.1.exe
User:
admin
Company:
eVenture Limited
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ippg0.tmp\hide.me-setup-4.3.1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2460"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2116 -prefsLen 36520 -prefMapHandle 2120 -prefMapSize 272997 -ipcHandle 2128 -initialChannelId {bdf12d9e-f8b7-44df-9f35-565ba5a660f2} -parentPid 6004 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6004" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
2468"C:\Users\admin\AppData\Local\Temp\is-BQ0VU.tmp\NetRuntimeInstaller86.exe" /passive /norestart /showrmui /showfinalerrorC:\Users\admin\AppData\Local\Temp\is-BQ0VU.tmp\NetRuntimeInstaller86.exe
Hide.me-Setup-4.3.1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Windows Desktop Runtime - 6.0.36 (x86)
Exit code:
0
Version:
6.0.36.34217
Modules
Images
c:\users\admin\appdata\local\temp\is-bq0vu.tmp\netruntimeinstaller86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3576DrvInst.exe "4" "1" "C:\Program Files\Common Files\ovpn-dco\Win10\ovpn-dco.inf" "9" "4e1f3ffd3" "00000000000001C4" "WinSta0\Default" "00000000000001E4" "208" "C:\Program Files\Common Files\ovpn-dco\Win10"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
3588"C:\Users\admin\Downloads\Hide.me-Setup-4.3.1.exe" C:\Users\admin\Downloads\Hide.me-Setup-4.3.1.exe
firefox.exe
User:
admin
Company:
eVenture Limited
Integrity Level:
MEDIUM
Description:
hide.me VPN Setup
Version:
4.3.1
Modules
Images
c:\users\admin\downloads\hide.me-setup-4.3.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
71 141
Read events
68 626
Write events
2 385
Delete events
130

Modification events

(PID) Process:(6004) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6004) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:EstimatedSize
Value:
215968
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:Version
Value:
6.0.36.34217
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:DisplayName
Value:
Microsoft Windows Desktop Runtime - 6.0.36 (x64)
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:Resume
Value:
1
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:{0532b8f2-12d7-43de-95fc-7b87006758a8}
Value:
"C:\ProgramData\Package Cache\{0532b8f2-12d7-43de-95fc-7b87006758a8}\windowsdesktop-runtime-6.0.36-win-x64.exe" /burn.runonce
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:writeName:BundleResumeCommandLine
Value:
/passive /norestart /burn.log.append "C:\Users\admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.36_(x64)_20250610190138.log" /showrmui /showfinalerror
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}\Dependents\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:delete valueName:MinVersion
Value:
(PID) Process:(6356) windowsdesktop-runtime-6.0.36-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}\Dependents\{0532b8f2-12d7-43de-95fc-7b87006758a8}
Operation:delete valueName:MaxVersion
Value:
Executable files
1 256
Suspicious files
350
Text files
100
Unknown types
214

Dropped files

PID
Process
Filename
Type
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6004firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:3134ED3F12E4F4F8643DB90043B0FD7B
SHA256:26E4F122034D7A03F6DA0E707799B09CBEEBDAF8D7A3133A1F7BD894AC72EEA1
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6004firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
91
DNS requests
113
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6004
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6004
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6004
firefox.exe
POST
200
142.250.186.131:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
6004
firefox.exe
POST
200
2.16.206.143:80
http://r10.o.lencr.org/
unknown
whitelisted
6004
firefox.exe
POST
200
142.250.186.131:80
http://o.pki.goog/we2
unknown
whitelisted
6004
firefox.exe
POST
200
2.16.206.143:80
http://r11.o.lencr.org/
unknown
whitelisted
6004
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6004
firefox.exe
POST
200
2.16.206.143:80
http://r11.o.lencr.org/
unknown
whitelisted
6004
firefox.exe
POST
200
142.250.186.131:80
http://o.pki.goog/s/wr3/3H4
unknown
whitelisted
6004
firefox.exe
POST
200
2.16.206.143:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2664
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6004
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
6004
firefox.exe
51.195.100.161:443
hide.me
OVH SAS
FR
unknown
6004
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
6004
firefox.exe
2.16.206.143:80
r11.o.lencr.org
Akamai International B.V.
DE
whitelisted
6004
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
content-signature-chains.prod.autograph.services.mozaws.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
hide.me
  • 51.195.100.161
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
r11.o.lencr.org
  • 2.16.206.143
  • 2.16.206.148
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
a1887.dscq.akamai.net
  • 2.16.206.143
  • 2.16.206.148
  • 2a02:26f0:3500:e::1732:8353
  • 2a02:26f0:3500:e::1732:835c
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
mc.prod.ads.prod.webservices.mozgcp.net
  • 34.36.137.203
whitelisted

Threats

No threats detected
Process
Message
hidemesvc.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 5552. Message ID: [0x2509].
hidemesvc.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 7820. Message ID: [0x2509].
Hide.me.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 7320. Message ID: [0x2509].
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
hidemesvc.exe
Corrected RASENTRY size -> Prev: 5680. New: 6724
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://hide.me/en/