File name:

netlimiter-5.3.23.0 (1).exe

Full analysis: https://app.any.run/tasks/7780f476-e837-497a-adb0-6b213d473331
Verdict: Malicious activity
Analysis date: April 23, 2025, 17:25:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1C4E30C0277FFAF4B8D5BC23DD642BE9

SHA1:

702A0F59C8EF901FE900CA35CF8D50603FF9E9DB

SHA256:

DB894051FE03939EB04318DC763D58A480ECFE2527A76B388C89D7556303C594

SSDEEP:

98304:DpfE1CQOGlfuAfpLPlmmJUyI92/GIGWFyfywJ2ZOAT3ykK17qCDjyjs5Ynn0gWMt:nqrjrcMXzGnxHhEH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6036)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)

    • ADVANCEDINSTALLER mutex has been found

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Reads Internet Explorer settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Application launched itself

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 6036)

    • Executable content was dropped or overwritten

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)

    • Reads security settings of Internet Explorer

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLSvc.exe (PID: 5212)
      • NLClientApp.exe (PID: 7144)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 856)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4724)
      • NLSvc.exe (PID: 4620)

    • There is functionality for taking screenshot (YARA)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)

    • Detects AdvancedInstaller (YARA)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • Creates files in the driver directory

      • msiexec.exe (PID: 6036)

    • The process creates files with name similar to system file names

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • Drops a system driver (possible attempt to evade defenses)

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)

    • Reads the date of Windows installation

      • NLClientApp.exe (PID: 7144)

  • INFO

    • The sample compiled with english language support

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 856)

    • Reads the machine GUID from the registry

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • NLSvc.exe (PID: 4620)
      • NLSvc.exe (PID: 5212)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Checks supported languages

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 3896)
      • msiexec.exe (PID: 856)
      • NLClientApp.exe (PID: 5868)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 7144)
      • NLSvcCliCnnCheck.exe (PID: 4108)

    • Reads Environment values

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)

    • Reads the computer name

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 3896)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Reads the software policy settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 6036)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 5868)
      • NLClientApp.exe (PID: 7144)

    • Create files in a temporary directory

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • msiexec.exe (PID: 5132)
      • netlimiter-5.3.23.0 (1).exe (PID: 904)
      • msiexec.exe (PID: 3896)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5132)
      • msiexec.exe (PID: 6036)
      • msiexec.exe (PID: 856)

    • Process checks computer location settings

      • netlimiter-5.3.23.0 (1).exe (PID: 3100)
      • NLClientApp.exe (PID: 7144)

    • Manages system restore points

      • SrTasks.exe (PID: 2852)

    • Creates files in the program directory

      • NLSvc.exe (PID: 5212)
      • NLSvc.exe (PID: 4620)
      • NLClientApp.exe (PID: 7144)
      • NLClientApp.exe (PID: 5868)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6036)

    • Manual execution by a user

      • NLClientApp.exe (PID: 7144)

    • Creates files or folders in the user directory

      • NLClientApp.exe (PID: 7144)

    • Checks proxy server information

      • NLClientApp.exe (PID: 7144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:12:14 13:40:00+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 2450944
InitializedDataSize: 1032704
UninitializedDataSize: -
EntryPoint: 0x1d0974
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.3.23.0
ProductVersionNumber: 5.3.23.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Locktime Software
FileDescription: NetLimiter Installer
FileVersion: 5.3.23.0
InternalName: netlimiter-5.3.23.0
LegalCopyright: Copyright (C) 2025 Locktime Software
OriginalFileName: netlimiter-5.3.23.0.exe
ProductName: NetLimiter
ProductVersion: 5.3.23.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
17
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start netlimiter-5.3.23.0 (1).exe msiexec.exe msiexec.exe netlimiter-5.3.23.0 (1).exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs nlsvc.exe no specs conhost.exe no specs nlsvc.exe nlclientapp.exe no specs nlclientapp.exe nlsvcclicnncheck.exe no specs slui.exe no specs netlimiter-5.3.23.0 (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856C:\Windows\syswow64\MsiExec.exe -Embedding 7F1616CBFC5FC7CD1113ACCBB7A23E9EC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
904"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" /i C:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="3100" AI_MORE_CMD_LINE=1C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe
netlimiter-5.3.23.0 (1).exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1812"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exeexplorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
MEDIUM
Description:
NetLimiter Installer
Exit code:
3221226540
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2852C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3100"C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe" C:\Users\admin\AppData\Local\Temp\netlimiter-5.3.23.0 (1).exe
explorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\netlimiter-5.3.23.0 (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3896C:\Windows\syswow64\MsiExec.exe -Embedding 8F44168FBB1CB8CBCE2F109800CE35AE E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4108"C:\Program Files\Locktime Software\NetLimiter\NLSvcCliCnnCheck.exe" 10e66717ec914bbbbfb386bfcbe468adC:\Program Files\Locktime Software\NetLimiter\NLSvcCliCnnCheck.exeNLClientApp.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\program files\locktime software\netlimiter\nlsvcclicnncheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
4620"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe
services.exe
User:
SYSTEM
Company:
Locktime Software
Integrity Level:
SYSTEM
Description:
NLSvc
Version:
5.3.23.0
Modules
Images
c:\program files\locktime software\netlimiter\nlsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4724C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
30 187
Read events
29 670
Write events
489
Delete events
28

Modification events

(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(3100) netlimiter-5.3.23.0 (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D0FE0AD174B4DB0194170000201B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000726CB0D074B4DB0194170000201B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000001810B3D074B4DB0194170000201B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000FF9B08D174B4DB0194170000201B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000FF9B08D174B4DB0194170000201B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F0C70FD174B4DB0194170000201B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6036) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
Executable files
504
Suspicious files
64
Text files
102
Unknown types
0

Dropped files

PID
Process
Filename
Type
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\holder0.aiph
MD5:
SHA256:
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:4330A06C0D3606CB9031F7CB611ED0A3
SHA256:CB0DE1DCA13A9F7DCB84050D5E59E0FEE34586B7DAC6D45BEEF76CE06B4B8888
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.x64.msiexecutable
MD5:0FD447E7043F012F7CECB3C3F194BC62
SHA256:259F8E166C62E872AE1006BE3956D737555B8173E4FCB4C16175CB6FA97B5C41
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:208E7542252AACBDEA98ECF5B4B489DC
SHA256:30DE539302DF99D4F05E1E0628728DBE9FE3D8F52FF587B625AD1DC19794BD21
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\{99A7ADDA-C158-4120-943E-1AE60AC56D0C}\AC56D0C\netlimiter-5.3.23.0.msiexecutable
MD5:755217DE39003A7C5F4B8BAE6174B770
SHA256:ECBC4778A5DF0FD62694F950C91CDA795CD3FC77B9F1D200469AB96712FB1C5A
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:9367C81E4F708FFCE953962AA18F1ECB
SHA256:3905F218077EAE7581483CE7ED0CCED978AA84CED2090837C79B3ADE338063BD
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\MSIDE1F.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\shiDD13.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\Local\Temp\MSIDD72.tmpexecutable
MD5:DB7612F0FD6408D664185CFC81BEF0CB
SHA256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
3100netlimiter-5.3.23.0 (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:DB92A4F6BFD16CD0D7441CEE786DAE94
SHA256:BB8E537F42E475E3926F1E1F68BECB20805585A96518AA30ABC17E14A95CAC7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.168:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4920
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7144
NLClientApp.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4620
NLSvc.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
7144
NLClientApp.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.168:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3100
netlimiter-5.3.23.0 (1).exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.168
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.164
  • 23.48.23.153
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.183
  • 23.48.23.169
  • 23.48.23.179
  • 23.48.23.185
  • 23.48.23.176
  • 23.48.23.178
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.132
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.160.65
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netlimiter-5.3.23.0 (1).exe