File name:

HidHide_1.5.230_x64.exe

Full analysis: https://app.any.run/tasks/36c3cd98-6a03-484b-b027-355401d8e2ef
Verdict: Malicious activity
Analysis date: July 31, 2024, 18:53:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

705173711090D36275D62CA7B111BFC3

SHA1:

F7DE49272CBD8A8912F511C3A11471BE05B44E2A

SHA256:

F4BBBCB82E6258641B887C74BC81C4C5F66E4AA811808DFC304347687B7605F6

SSDEEP:

98304:voLfIHceJw1fOHuwjNYGy+6YbCTWaWruYdL/Ck97Iu/ChQuWo229QAPB3EAXd6+Q:77l+zTykhE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 5372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Executable content was dropped or overwritten

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Checks Windows Trust Settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)

    • Process drops legitimate windows executable

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Reads Internet Explorer settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Reads the date of Windows installation

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3568)
      • HidHideWatchdog.exe (PID: 7096)

    • Application launched itself

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6924)
      • HidHide_1.5.230_x64.exe (PID: 6456)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6384)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4236)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 5372)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3284)

  • INFO

    • Reads the computer name

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • drvinst.exe (PID: 4236)
      • nefconw.exe (PID: 2248)
      • nefconw.exe (PID: 640)
      • nefconw.exe (PID: 3144)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • Reads the machine GUID from the registry

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Checks supported languages

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 4236)
      • drvinst.exe (PID: 6384)
      • nefconw.exe (PID: 2248)
      • nefconw.exe (PID: 640)
      • nefarius_HidHide_Updater.exe (PID: 5932)
      • nefconw.exe (PID: 3144)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)

    • Creates files in the program directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Reads Environment values

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)

    • Reads the software policy settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Creates files or folders in the user directory

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Checks proxy server information

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Create files in a temporary directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)

    • Process checks computer location settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6924)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6924)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 5932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.230.0
ProductVersionNumber: 1.5.230.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.230
InternalName: HidHide_1.5.230_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.230_x64.exe
ProductName: HidHide
ProductVersion: 1.5.230
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
19
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start hidhide_1.5.230_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.230_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe plugscheduler.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 745a17a0-74d3-11d0-b6fe-00a0c90f57daC:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2248"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2616"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --create-device-node --hardware-id root\HidHide --class-name System --class-guid 4D36E97D-E325-11CE-BFC1-08002BE10318C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
3144"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 05f5cfe2-4733-4950-a6bb-07aad01a3a84C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\version.dll
3284"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3568C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4236DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\WINDOWS\System32\DriverStore\FileRepository\hidhide.inf_amd64_7c068d69bd48dffd\hidhide.inf" "oem1.inf:*:*:1.4.181.0:root\HidHide," "49f2aa4cb" "000000000000018C"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
5372"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe" --install --override-success-code 0C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Universal Updater Agent
Exit code:
0
Version:
1.0.546
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefarius_hidhide_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5924"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" /i "C:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Nefarius Software Solutions\HidHide" SECONDSEQUENCE="1" CLIENTPROCESSID="6456" CHAINERUIPROCESSID="6456Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,HidHide_1,C4FE6FD5B7C4D07B3A313E754A9A6A8,HidHide_HID,HidHide" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_FOUND_PREREQS="Visual C++ Redistributable for Visual Studio 2015-2022 x64" AI_SETUPEXEPATH="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722451047 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" AI_INSTALL="1"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe
HidHide_1.5.230_x64.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
HidHide Installer
Exit code:
0
Version:
1.5.230
Modules
Images
c:\users\admin\desktop\hidhide_1.5.230_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
Total events
21 716
Read events
21 363
Write events
316
Delete events
37

Modification events

(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000701B12F07AE3DA010C1B000020000000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000187F14F07AE3DA010C1B000020000000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
47
Suspicious files
44
Text files
33
Unknown types
28

Dropped files

PID
Process
Filename
Type
6456HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\holder0.aiph
MD5:
SHA256:
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:E85D3869FEE69C18BA705E6D2F24B5A5
SHA256:EC7C74909C1A2C5F0AC7F5C50C419ABA64A273402313C965D03AA8EC460F0E30
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:D45E464F74563736227583E0B9EE3894
SHA256:E81791117F3BEE3DC45E0610B3642A267C177031174E4DC0ACB514EF6ADE239A
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:0FFFDEA2313D84B8C91699746A6149FF
SHA256:26CB2704A4CD6744DF29215E6B8C0DB8FBE04C1E78078A485761EAECBA825768
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2der
MD5:DAEAC1F9B2E6D15AE725E423E48200CE
SHA256:EC0BCFA5DB59AFD279E4D3E586722A63ED458148AEDBDC83A965B8A29B8B0B3F
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:0D9816DE1BFAE3C5AC407F2BEEBAAC9D
SHA256:FA6E9C254F809FA6228F953EF1DEDCC081E44BBB31D0066F4FC2C43B5C5D00CC
6456HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msiexecutable
MD5:9E5DBBDEE6CAC280E53C684E2D540697
SHA256:974F2F56BB9D87E760FFDC757BBAA1AD94CEFB57431D73B1E5E209F262B8C9F7
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI83F9.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI820D.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\shi81AF.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
32
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
unknown
whitelisted
GET
304
2.23.209.140:443
https://r.bing.com/rb/4N/jnc,nj/WHBHN5CD2X9iLHkLc7Ck-5t1mtg.js?bu=FpIs1Cr8AeQq5yrqKuwqkSuaLOAr5RH6K4Asniz8AfwBgyjDK-MR2hHXK8gr&or=w
unknown
GET
304
2.23.209.133:443
https://r.bing.com/rb/16/jnc,nj/8is6HLWQOmmjdhp0hh0w6MjZScI.js?bu=DygxcoQBiQGMAYEBe36_AcIBMbIBMcUB&or=w
unknown
GET
304
2.23.209.177:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C-QIiwOKBL4JpQiPCL0GWVlZWQ&or=w
unknown
GET
304
2.23.209.150:443
https://r.bing.com/rb/6j/cir3,ortl,cc,nc/1UB5YvNFrfbb4cLqddqK_32ePXU.css?bu=McEKuwrHCrsKqwu7CrELuwq5C7sKwAu7CsYLuwrMC7sK0gu7CtkKuwrfCrsK0wq7CrsKogu7Cu4Kuwr0CrsK6Aq7CvoKhAuHC7sKuwqfC40LuwqTC5YLuwr7C7sK2Au7CqkM&or=w
unknown
GET
304
2.23.209.130:443
https://r.bing.com/rb/3E/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w
unknown
GET
304
2.23.209.176:443
https://r.bing.com/rb/6j/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AbsK&or=w
unknown
GET
304
2.23.209.140:443
https://r.bing.com/rb/6j/ortl,cc,nc/_BjeFNPDJ-N9umMValublyrbq4Y.css?bu=CZYMuwqbDLsKnwy7CrsKuwq7Cg&or=w
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4576
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4208
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6456
HidHide_1.5.230_x64.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4576
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.185
  • 2.16.100.49
  • 2.16.100.66
  • 2.16.100.51
  • 2.16.100.59
  • 2.16.100.43
  • 2.16.100.50
  • 2.16.100.58
  • 2.16.100.128
  • 2.16.100.64
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 20.189.173.27
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
th.bing.com
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.150
  • 2.23.209.181
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.140
whitelisted
r.bing.com
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.133
  • 2.23.209.140
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
1 ETPRO signatures available at the full report
Process
Message
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.805] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.806] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.838] [vicius-updater] [info] Installation tasks finished successfully
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.230_x64.exe