File name:

HidHide_1.5.230_x64.exe

Full analysis: https://app.any.run/tasks/36c3cd98-6a03-484b-b027-355401d8e2ef
Verdict: Malicious activity
Analysis date: July 31, 2024, 18:53:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

705173711090D36275D62CA7B111BFC3

SHA1:

F7DE49272CBD8A8912F511C3A11471BE05B44E2A

SHA256:

F4BBBCB82E6258641B887C74BC81C4C5F66E4AA811808DFC304347687B7605F6

SSDEEP:

98304:voLfIHceJw1fOHuwjNYGy+6YbCTWaWruYdL/Ck97Iu/ChQuWo229QAPB3EAXd6+Q:77l+zTykhE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HidHide_1.5.230_x64.exe (PID: 5924)
      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 6924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 5372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Checks Windows Trust Settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Executable content was dropped or overwritten

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)

    • Process drops legitimate windows executable

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)

    • Reads Internet Explorer settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Reads the date of Windows installation

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Application launched itself

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3568)
      • HidHideWatchdog.exe (PID: 7096)

    • Drops a system driver (possible attempt to evade defenses)

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 6924)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6384)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4236)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 5372)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3284)

  • INFO

    • Reads Environment values

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)

    • Reads the software policy settings

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Checks supported languages

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • drvinst.exe (PID: 6384)
      • drvinst.exe (PID: 4236)
      • nefconw.exe (PID: 3144)
      • nefconw.exe (PID: 640)
      • nefconw.exe (PID: 2248)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5932)

    • Reads the computer name

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • msiexec.exe (PID: 7060)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6536)
      • HidHideWatchdog.exe (PID: 7096)
      • nefconw.exe (PID: 2616)
      • nefconw.exe (PID: 6264)
      • nefconw.exe (PID: 640)
      • drvinst.exe (PID: 6384)
      • drvinst.exe (PID: 4236)
      • nefconw.exe (PID: 2248)
      • nefarius_HidHide_Updater.exe (PID: 5372)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5932)
      • nefconw.exe (PID: 3144)

    • Creates files or folders in the user directory

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Create files in a temporary directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • nefconw.exe (PID: 6264)

    • Creates files in the program directory

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • PLUGScheduler.exe (PID: 3284)
      • nefarius_HidHide_Updater.exe (PID: 5372)

    • Checks proxy server information

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Reads the machine GUID from the registry

      • HidHide_1.5.230_x64.exe (PID: 6456)
      • HidHide_1.5.230_x64.exe (PID: 5924)
      • msiexec.exe (PID: 6924)
      • drvinst.exe (PID: 6384)

    • Process checks computer location settings

      • HidHide_1.5.230_x64.exe (PID: 6456)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6924)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6924)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 5932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.230.0
ProductVersionNumber: 1.5.230.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.230
InternalName: HidHide_1.5.230_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.230_x64.exe
ProductName: HidHide
ProductVersion: 1.5.230
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
19
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start hidhide_1.5.230_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.230_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe plugscheduler.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 745a17a0-74d3-11d0-b6fe-00a0c90f57daC:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2248"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
2616"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --create-device-node --hardware-id root\HidHide --class-name System --class-guid 4D36E97D-E325-11CE-BFC1-08002BE10318C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
3144"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 05f5cfe2-4733-4950-a6bb-07aad01a3a84C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\version.dll
3284"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3568C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4236DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\WINDOWS\System32\DriverStore\FileRepository\hidhide.inf_amd64_7c068d69bd48dffd\hidhide.inf" "oem1.inf:*:*:1.4.181.0:root\HidHide," "49f2aa4cb" "000000000000018C"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
5372"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe" --install --override-success-code 0C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Universal Updater Agent
Exit code:
0
Version:
1.0.546
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefarius_hidhide_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5924"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" /i "C:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Nefarius Software Solutions\HidHide" SECONDSEQUENCE="1" CLIENTPROCESSID="6456" CHAINERUIPROCESSID="6456Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,HidHide_1,C4FE6FD5B7C4D07B3A313E754A9A6A8,HidHide_HID,HidHide" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_FOUND_PREREQS="Visual C++ Redistributable for Visual Studio 2015-2022 x64" AI_SETUPEXEPATH="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722451047 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" AI_INSTALL="1"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe
HidHide_1.5.230_x64.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
HidHide Installer
Exit code:
0
Version:
1.5.230
Modules
Images
c:\users\admin\desktop\hidhide_1.5.230_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
Total events
21 716
Read events
21 363
Write events
316
Delete events
37

Modification events

(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6456) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000005E1EB5EF7AE3DA010C1B000020000000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C3B50FF07AE3DA010C1B000020000000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000701B12F07AE3DA010C1B000020000000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6924) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000187F14F07AE3DA010C1B000020000000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
47
Suspicious files
44
Text files
33
Unknown types
28

Dropped files

PID
Process
Filename
Type
6456HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\holder0.aiph
MD5:
SHA256:
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:E85D3869FEE69C18BA705E6D2F24B5A5
SHA256:EC7C74909C1A2C5F0AC7F5C50C419ABA64A273402313C965D03AA8EC460F0E30
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:0D9816DE1BFAE3C5AC407F2BEEBAAC9D
SHA256:FA6E9C254F809FA6228F953EF1DEDCC081E44BBB31D0066F4FC2C43B5C5D00CC
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI8359.tmpexecutable
MD5:65B853552E16654C53AB4D16920A9182
SHA256:80C5E769470BB98C5B1EC3BE0A9A51F0821C67E9ADC7E3E254BBC41183CEB76F
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:800066565CB3A16FF41B8B478B57B0C3
SHA256:7B5E9B307A98B56F38DD62E7898D63214EC35784C4C0F3DE0E6BCB6B90B13975
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI820D.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI8388.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI83F9.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_6456\custiconimage
MD5:BE6D2F48AA6634FB2101C273C798D4D9
SHA256:0E22BC2BF7184DFDB55223A11439304A453FB3574E3C9034A6497AF405C628EF
6456HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI83D9.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
32
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6456
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
unknown
whitelisted
GET
304
2.23.209.133:443
https://r.bing.com/rb/16/jnc,nj/8is6HLWQOmmjdhp0hh0w6MjZScI.js?bu=DygxcoQBiQGMAYEBe36_AcIBMbIBMcUB&or=w
unknown
unknown
GET
304
2.23.209.177:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C-QIiwOKBL4JpQiPCL0GWVlZWQ&or=w
unknown
unknown
GET
304
2.23.209.150:443
https://r.bing.com/rb/6j/cir3,ortl,cc,nc/1UB5YvNFrfbb4cLqddqK_32ePXU.css?bu=McEKuwrHCrsKqwu7CrELuwq5C7sKwAu7CsYLuwrMC7sK0gu7CtkKuwrfCrsK0wq7CrsKogu7Cu4Kuwr0CrsK6Aq7CvoKhAuHC7sKuwqfC40LuwqTC5YLuwr7C7sK2Au7CqkM&or=w
unknown
unknown
GET
304
2.23.209.130:443
https://r.bing.com/rb/3E/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w
unknown
unknown
GET
304
2.23.209.176:443
https://r.bing.com/rb/6j/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AbsK&or=w
unknown
unknown
GET
304
2.23.209.140:443
https://r.bing.com/rb/6j/ortl,cc,nc/_BjeFNPDJ-N9umMValublyrbq4Y.css?bu=CZYMuwqbDLsKnwy7CrsKuwq7Cg&or=w
unknown
unknown
GET
304
2.23.209.140:443
https://r.bing.com/rb/4N/jnc,nj/WHBHN5CD2X9iLHkLc7Ck-5t1mtg.js?bu=FpIs1Cr8AeQq5yrqKuwqkSuaLOAr5RH6K4Asniz8AfwBgyjDK-MR2hHXK8gr&or=w
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4576
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4208
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6456
HidHide_1.5.230_x64.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4576
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.185
  • 2.16.100.49
  • 2.16.100.66
  • 2.16.100.51
  • 2.16.100.59
  • 2.16.100.43
  • 2.16.100.50
  • 2.16.100.58
  • 2.16.100.128
  • 2.16.100.64
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 20.189.173.27
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
th.bing.com
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.150
  • 2.23.209.181
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.140
whitelisted
r.bing.com
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.135
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.133
  • 2.23.209.140
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
1 ETPRO signatures available at the full report
Process
Message
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.805] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.806] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2024-07-31 18:53:54.838] [vicius-updater] [info] Installation tasks finished successfully
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.230_x64.exe