File name:

HidHide_1.5.230_x64.exe

Full analysis: https://app.any.run/tasks/36c3cd98-6a03-484b-b027-355401d8e2ef
Verdict: Malicious activity
Analysis date: July 31, 2024, 18:53:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

705173711090D36275D62CA7B111BFC3

SHA1:

F7DE49272CBD8A8912F511C3A11471BE05B44E2A

SHA256:

F4BBBCB82E6258641B887C74BC81C4C5F66E4AA811808DFC304347687B7605F6

SSDEEP:

98304:voLfIHceJw1fOHuwjNYGy+6YbCTWaWruYdL/Ck97Iu/ChQuWo229QAPB3EAXd6+Q:77l+zTykhE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 5372)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)

    • Checks Windows Trust Settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Reads security settings of Internet Explorer

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Executable content was dropped or overwritten

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Reads Internet Explorer settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Application launched itself

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3568)
      • HidHideWatchdog.exe (PID: 7096)

    • Reads the date of Windows installation

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Drops a system driver (possible attempt to evade defenses)

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 6924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6384)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4236)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 5372)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3284)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • drvinst.exe (PID: 4236)
      • nefconw.exe (PID: 640)
      • nefconw.exe (PID: 2248)
      • nefconw.exe (PID: 3144)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • nefarius_HidHide_Updater.exe (PID: 5932)
      • PLUGScheduler.exe (PID: 3284)

    • Reads the computer name

      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • drvinst.exe (PID: 4236)
      • nefconw.exe (PID: 640)
      • nefconw.exe (PID: 2248)
      • nefconw.exe (PID: 3144)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • Checks proxy server information

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Reads the software policy settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Reads the machine GUID from the registry

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Create files in a temporary directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)

    • Creates files or folders in the user directory

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Creates files in the program directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)

    • Reads Environment values

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)

    • Process checks computer location settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6924)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6924)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 5932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.230.0
ProductVersionNumber: 1.5.230.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.230
InternalName: HidHide_1.5.230_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.230_x64.exe
ProductName: HidHide
ProductVersion: 1.5.230
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
19
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start hidhide_1.5.230_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.230_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe plugscheduler.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 745a17a0-74d3-11d0-b6fe-00a0c90f57daC:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2248"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2616"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --create-device-node --hardware-id root\HidHide --class-name System --class-guid 4D36E97D-E325-11CE-BFC1-08002BE10318C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
3144"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 05f5cfe2-4733-4950-a6bb-07aad01a3a84C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\version.dll
3284"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3568C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4236DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\WINDOWS\System32\DriverStore\FileRepository\hidhide.inf_amd64_7c068d69bd48dffd\hidhide.inf" "oem1.inf:*:*:1.4.181.0:root\HidHide," "49f2aa4cb" "000000000000018C"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
5372"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe" --install --override-success-code 0C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Universal Updater Agent
Exit code:
0
Version:
1.0.546
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefarius_hidhide_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5924"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" /i "C:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Nefarius Software Solutions\HidHide" SECONDSEQUENCE="1" CLIENTPROCESSID="6456" CHAINERUIPROCESSID="6456Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,HidHide_1,C4FE6FD5B7C4D07B3A313E754A9A6A8,HidHide_HID,HidHide" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_FOUND_PREREQS="Visual C++ Redistributable for Visual Studio 2015-2022 x64" AI_SETUPEXEPATH="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722451047 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" AI_INSTALL="1"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe
HidHide_1.5.230_x64.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
HidHide Installer
Exit code:
0
Version:
1.5.230
Modules
Images
c:\users\admin\desktop\hidhide_1.5.230_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
Total events
21 716
Read events
21 363
Write events
316
Delete events
37

Modification events

(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000701B12F07AE3DA010C1B000020000000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000187F14F07AE3DA010C1B000020000000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
47
Suspicious files
44
Text files
33
Unknown types
28

Dropped files

PID
Process
Filename
Type
6456HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\holder0.aiph
MD5:
SHA256:
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI83F9.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:800066565CB3A16FF41B8B478B57B0C3
SHA256:7B5E9B307A98B56F38DD62E7898D63214EC35784C4C0F3DE0E6BCB6B90B13975
6456HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msiexecutable
MD5:9E5DBBDEE6CAC280E53C684E2D540697
SHA256:974F2F56BB9D87E760FFDC757BBAA1AD94CEFB57431D73B1E5E209F262B8C9F7
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:E85D3869FEE69C18BA705E6D2F24B5A5
SHA256:EC7C74909C1A2C5F0AC7F5C50C419ABA64A273402313C965D03AA8EC460F0E30
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:0FFFDEA2313D84B8C91699746A6149FF
SHA256:26CB2704A4CD6744DF29215E6B8C0DB8FBE04C1E78078A485761EAECBA825768
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\shi81AF.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI820D.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2der
MD5:DAEAC1F9B2E6D15AE725E423E48200CE
SHA256:EC0BCFA5DB59AFD279E4D3E586722A63ED458148AEDBDC83A965B8A29B8B0B3F
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:0D9816DE1BFAE3C5AC407F2BEEBAAC9D
SHA256:FA6E9C254F809FA6228F953EF1DEDCC081E44BBB31D0066F4FC2C43B5C5D00CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
32
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
US
binary
471 b
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
US
binary
727 b
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
US
binary
727 b
whitelisted
POST
204
2.23.209.140:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
GB
xml
171 Kb
unknown
POST
204
2.23.209.176:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
POST
204
2.23.209.150:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
GET
200
2.23.209.176:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
unknown
POST
204
2.23.209.140:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
GET
304
2.23.209.140:443
https://r.bing.com/rb/4N/jnc,nj/WHBHN5CD2X9iLHkLc7Ck-5t1mtg.js?bu=FpIs1Cr8AeQq5yrqKuwqkSuaLOAr5RH6K4Asniz8AfwBgyjDK-MR2hHXK8gr&or=w
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4576
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4208
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6456
HidHide_1.5.230_x64.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4576
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.185
  • 2.16.100.49
  • 2.16.100.66
  • 2.16.100.51
  • 2.16.100.59
  • 2.16.100.43
  • 2.16.100.50
  • 2.16.100.58
  • 2.16.100.128
  • 2.16.100.64
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 20.189.173.27
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
th.bing.com
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.150
  • 2.23.209.181
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.140
whitelisted
r.bing.com
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.133
  • 2.23.209.140
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
1 ETPRO signatures available at the full report
Process
Message
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.805] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.806] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.838] [vicius-updater] [info] Installation tasks finished successfully
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.230_x64.exe