File name:

netlimiter-5.3.23.0 (1).exe

Full analysis: https://app.any.run/tasks/7780f476-e837-497a-adb0-6b213d473331
Verdict: Malicious activity
Analysis date: April 23, 2025, 17:25:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1C4E30C0277FFAF4B8D5BC23DD642BE9

SHA1:

702A0F59C8EF901FE900CA35CF8D50603FF9E9DB

SHA256:

DB894051FE03939EB04318DC763D58A480ECFE2527A76B388C89D7556303C594

SSDEEP:

98304:DpfE1CQOGlfuAfpLPlmmJUyI92/GIGWFyfywJ2ZOAT3ykK17qCDjyjs5Ynn0gWMt:nqrjrcMXzGnxHhEH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6036)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 6036)

    • Reads security settings of Internet Explorer

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Reads the Windows owner or organization settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 6036)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 856)

    • ADVANCEDINSTALLER mutex has been found

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Executable content was dropped or overwritten

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)

    • Reads Internet Explorer settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Application launched itself

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4724)
      • NLSvc.exe (PID: 4620)

    • Detects AdvancedInstaller (YARA)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • There is functionality for taking screenshot (YARA)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • The process creates files with name similar to system file names

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • Drops a system driver (possible attempt to evade defenses)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • Creates files in the driver directory

      • msiexec.exe (PID: 6036)

    • Reads the date of Windows installation

      • NLClientApp.exe (PID: 7144)

  • INFO

    • The sample compiled with english language support

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 856)

    • Reads the computer name

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 6036)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 3896)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Reads the software policy settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 6036)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 7144)
      • NLClientApp.exe (PID: 5868)

    • Checks supported languages

      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 3896)
      • NLSvc.exe (PID: 4620)
      • NLSvc.exe (PID: 5212)
      • NLClientApp.exe (PID: 7144)
      • NLSvcCliCnnCheck.exe (PID: 4108)
      • NLClientApp.exe (PID: 5868)

    • Create files in a temporary directory

      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 3896)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 856)

    • Reads Environment values

      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)

    • Reads the machine GUID from the registry

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 6036)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Process checks computer location settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • NLClientApp.exe (PID: 7144)

    • Manages system restore points

      • SrTasks.exe (PID: 2852)

    • Creates files in the program directory

      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6036)

    • Manual execution by a user

      • NLClientApp.exe (PID: 7144)

    • Creates files or folders in the user directory

      • NLClientApp.exe (PID: 7144)

    • Checks proxy server information

      • NLClientApp.exe (PID: 7144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:12:14 13:40:00+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 2450944
InitializedDataSize: 1032704
UninitializedDataSize: -
EntryPoint: 0x1d0974
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.3.23.0
ProductVersionNumber: 5.3.23.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Locktime Software
FileDescription: NetLimiter Installer
FileVersion: 5.3.23.0
InternalName: netlimiter-5.3.23.0
LegalCopyright: Copyright (C) 2025 Locktime Software
OriginalFileName: netlimiter-5.3.23.0.exe
ProductName: NetLimiter
ProductVersion: 5.3.23.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
17
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start netlimiter-5.3.23.0 (1).exe msiexec.exe msiexec.exe netlimiter-5.3.23.0 (1).exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs nlsvc.exe no specs conhost.exe no specs nlsvc.exe nlclientapp.exe no specs nlclientapp.exe nlsvcclicnncheck.exe no specs slui.exe no specs netlimiter-5.3.23.0 (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856C:\Windows\syswow64\MsiExec.exe -Embedding 7F1616CBFC5FC7CD1113ACCBB7A23E9EC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
904"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" /i C:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="3100" AI_MORE_CMD_LINE=1C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe
netlimiter-5.3.23.0 (1).exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1812"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exeexplorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
MEDIUM
Description:
NetLimiter Installer
Exit code:
3221226540
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2852C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3100"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe
explorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3896C:\Windows\syswow64\MsiExec.exe -Embedding 8F44168FBB1CB8CBCE2F109800CE35AE E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4108"C:\Program Files\Locktime Software\NetLimiter\NLSvcCliCnnCheck.exe" 10e66717ec914bbbbfb386bfcbe468adC:\Program Files\Locktime Software\NetLimiter\NLSvcCliCnnCheck.exeNLClientApp.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\program files\locktime software\netlimiter\nlsvcclicnncheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
4620"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe
services.exe
User:
SYSTEM
Company:
Locktime Software
Integrity Level:
SYSTEM
Description:
NLSvc
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4724C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
30 187
Read events
29 670
Write events
489
Delete events
28

Modification events

(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D0FE0AD174B4DB0194170000201B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000726CB0D074B4DB0194170000201B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000001810B3D074B4DB0194170000201B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000FF9B08D174B4DB0194170000201B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000FF9B08D174B4DB0194170000201B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F0C70FD174B4DB0194170000201B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
Executable files
504
Suspicious files
64
Text files
102
Unknown types
0

Dropped files

PID
Process
Filename
Type
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\holder0.aiph
MD5:
SHA256:
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:208E7542252AACBDEA98ECF5B4B489DC
SHA256:30DE539302DF99D4F05E1E0628728DBE9FE3D8F52FF587B625AD1DC19794BD21
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3100\repair.pngimage
MD5:CE23E801FACF4DC9980692913ECC5FB3
SHA256:A8856BD3783A5FC30504FD8AFCFABAA8295ECEFC0D91E5CDD00453F2137495D3
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\MSIDD72.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msiexecutable
MD5:0FD447E7043F012F7CECB3C3F194BC62
SHA256:259F8E166C62E872AE1006BE3956D737555B8173E4FCB4C16175CB6FA97B5C41
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:9367C81E4F708FFCE953962AA18F1ECB
SHA256:3905F218077EAE7581483CE7ED0CCED978AA84CED2090837C79B3ADE338063BD
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\MSIDE1F.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:DB92A4F6BFD16CD0D7441CEE786DAE94
SHA256:BB8E537F42E475E3926F1E1F68BECB20805585A96518AA30ABC17E14A95CAC7A
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3100\backgroundimage
MD5:A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA256:F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_3100\frame_bottom_right.bmpimage
MD5:1FB3755FE9676FCA35B8D3C6A8E80B45
SHA256:384EBD5800BECADF3BD9014686E6CC09344F75CE426E966D788EB5473B28AA21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.168:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4620
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
4620
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
7144
NLClientApp.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.168:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.168
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.164
  • 23.48.23.153
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.183
  • 23.48.23.169
  • 23.48.23.179
  • 23.48.23.185
  • 23.48.23.176
  • 23.48.23.178
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.132
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.160.65
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netlimiter-5.3.23.0 (1).exe