File name:

HidHide_1.5.230_x64.exe

Full analysis: https://app.any.run/tasks/d38f4138-efc1-4675-98a1-79156cf0801c
Verdict: Malicious activity
Analysis date: July 31, 2024, 18:47:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

705173711090D36275D62CA7B111BFC3

SHA1:

F7DE49272CBD8A8912F511C3A11471BE05B44E2A

SHA256:

F4BBBCB82E6258641B887C74BC81C4C5F66E4AA811808DFC304347687B7605F6

SSDEEP:

98304:voLfIHceJw1fOHuwjNYGy+6YbCTWaWruYdL/Ck97Iu/ChQuWo229QAPB3EAXd6+Q:77l+zTykhE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • msiexec.exe (PID: 6792)
      • drvinst.exe (PID: 640)
      • nefconw.exe (PID: 7104)
      • nefarius_HidHide_Updater.exe (PID: 5464)

    • Changes the autorun value in the registry

      • nefarius_HidHide_Updater.exe (PID: 5464)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 6792)
      • drvinst.exe (PID: 640)

    • Reads security settings of Internet Explorer

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)

    • Reads the Windows owner or organization settings

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 6792)

    • Reads the date of Windows installation

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Application launched itself

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Executable content was dropped or overwritten

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • nefconw.exe (PID: 7104)
      • drvinst.exe (PID: 640)
      • nefarius_HidHide_Updater.exe (PID: 5464)

    • Reads Internet Explorer settings

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Executes as Windows Service

      • HidHideWatchdog.exe (PID: 6928)
      • VSSVC.exe (PID: 6244)

    • Drops a system driver (possible attempt to evade defenses)

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • msiexec.exe (PID: 6792)
      • nefconw.exe (PID: 7104)
      • drvinst.exe (PID: 640)

    • Creates files in the driver directory

      • drvinst.exe (PID: 640)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 3032)

    • Detected use of alternative data streams (AltDS)

      • nefarius_HidHide_Updater.exe (PID: 5464)
      • nefarius_HidHide_Updater.exe (PID: 5868)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 2752)

  • INFO

    • Creates files in the program directory

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • nefarius_HidHide_Updater.exe (PID: 5464)
      • PLUGScheduler.exe (PID: 2752)

    • Checks supported languages

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • msiexec.exe (PID: 6792)
      • msiexec.exe (PID: 7000)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 6832)
      • HidHideWatchdog.exe (PID: 6928)
      • drvinst.exe (PID: 640)
      • drvinst.exe (PID: 3032)
      • nefconw.exe (PID: 7064)
      • nefconw.exe (PID: 7104)
      • nefconw.exe (PID: 6872)
      • nefconw.exe (PID: 3188)
      • nefconw.exe (PID: 4704)
      • nefarius_HidHide_Updater.exe (PID: 5464)
      • PLUGScheduler.exe (PID: 2752)
      • nefarius_HidHide_Updater.exe (PID: 5868)

    • Reads Environment values

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • msiexec.exe (PID: 7000)
      • msiexec.exe (PID: 6832)
      • HidHide_1.5.230_x64.exe (PID: 5140)

    • Reads the computer name

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • msiexec.exe (PID: 6792)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 7000)
      • msiexec.exe (PID: 6832)
      • nefconw.exe (PID: 7064)
      • HidHideWatchdog.exe (PID: 6928)
      • nefconw.exe (PID: 7104)
      • drvinst.exe (PID: 640)
      • nefconw.exe (PID: 6872)
      • drvinst.exe (PID: 3032)
      • PLUGScheduler.exe (PID: 2752)
      • nefconw.exe (PID: 4704)
      • nefconw.exe (PID: 3188)
      • nefarius_HidHide_Updater.exe (PID: 5464)
      • nefarius_HidHide_Updater.exe (PID: 5868)

    • Reads the software policy settings

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 6792)
      • drvinst.exe (PID: 640)

    • Checks proxy server information

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Reads the machine GUID from the registry

      • HidHide_1.5.230_x64.exe (PID: 6452)
      • HidHide_1.5.230_x64.exe (PID: 5140)
      • msiexec.exe (PID: 6792)
      • drvinst.exe (PID: 640)

    • Creates files or folders in the user directory

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Process checks computer location settings

      • HidHide_1.5.230_x64.exe (PID: 6452)

    • Create files in a temporary directory

      • HidHide_1.5.230_x64.exe (PID: 5140)
      • HidHide_1.5.230_x64.exe (PID: 6452)
      • nefconw.exe (PID: 7104)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6792)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6792)

    • Manual execution by a user

      • nefarius_HidHide_Updater.exe (PID: 5868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:23 16:35:17+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 2716672
InitializedDataSize: 1122816
UninitializedDataSize: -
EntryPoint: 0x20c1a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.5.230.0
ProductVersionNumber: 1.5.230.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Nefarius Software Solutions e.U.
FileDescription: HidHide Installer
FileVersion: 1.5.230
InternalName: HidHide_1.5.230_x64
LegalCopyright: Copyright (C) 2024 Nefarius Software Solutions e.U.
OriginalFileName: HidHide_1.5.230_x64.exe
ProductName: HidHide
ProductVersion: 1.5.230
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
19
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start hidhide_1.5.230_x64.exe msiexec.exe msiexec.exe no specs hidhide_1.5.230_x64.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs hidhidewatchdog.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe no specs nefarius_hidhide_updater.exe plugscheduler.exe no specs nefarius_hidhide_updater.exe

Process information

PID
CMD
Path
Indicators
Parent process
640DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{57dc5e47-bec3-0c4e-b180-911f97590ca6}\HidHide.inf" "9" "49f2aa4cb" "00000000000001CC" "WinSta0\Default" "00000000000001D8" "208" "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2752"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3032DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\WINDOWS\System32\DriverStore\FileRepository\hidhide.inf_amd64_7c068d69bd48dffd\hidhide.inf" "oem1.inf:*:*:1.4.181.0:root\HidHide," "49f2aa4cb" "0000000000000174"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
3188"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 05f5cfe2-4733-4950-a6bb-07aad01a3a84C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4704"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exemsiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Nefarius' Device Console Utility
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefconw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\version.dll
c:\windows\system32\ucrtbase.dll
5140"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" /i "C:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\4F26DAF\HidHide.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Nefarius Software Solutions\HidHide" SECONDSEQUENCE="1" CLIENTPROCESSID="6452" CHAINERUIPROCESSID="6452Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,HidHide_1,C4FE6FD5B7C4D07B3A313E754A9A6A8,HidHide_HID,HidHide" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQDIRS="C:\Users\admin\AppData\Roaming" AI_FOUND_PREREQS="Visual C++ Redistributable for Visual Studio 2015-2022 x64" AI_SETUPEXEPATH="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" SETUPEXEDIR="C:\Users\admin\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722450724 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe" AI_INSTALL="1"C:\Users\admin\Desktop\HidHide_1.5.230_x64.exe
HidHide_1.5.230_x64.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
HidHide Installer
Exit code:
0
Version:
1.5.230
Modules
Images
c:\users\admin\desktop\hidhide_1.5.230_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
5300C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5464"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe" --install --override-success-code 0C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe
msiexec.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
HIGH
Description:
Universal Updater Agent
Exit code:
0
Version:
1.0.546
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefarius_hidhide_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5868"C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe" --autostartC:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.exe
explorer.exe
User:
admin
Company:
Nefarius Software Solutions e.U.
Integrity Level:
MEDIUM
Description:
Universal Updater Agent
Exit code:
104
Version:
1.0.546
Modules
Images
c:\program files\nefarius software solutions\hidhide\x64\nefarius_hidhide_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
6244C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 846
Read events
21 493
Write events
316
Delete events
37

Modification events

(PID) Process:(6452) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6452) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6452) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6452) HidHide_1.5.230_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000009DB5D7367AE3DA01881A0000AC070000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000009DB5D7367AE3DA01881A0000AC070000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000002CF523377AE3DA01881A0000AC070000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000002CF523377AE3DA01881A0000AC070000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000E75A26377AE3DA01881A0000AC070000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6792) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000006CBF28377AE3DA01881A0000AC070000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
48
Suspicious files
65
Text files
32
Unknown types
7

Dropped files

PID
Process
Filename
Type
6452HidHide_1.5.230_x64.exeC:\ProgramData\Nefarius Software Solutions\HidHide 1.5.230\install\holder0.aiph
MD5:
SHA256:
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI8164.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI80F5.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:091373A9DD4C6A83EB36D296C07D1796
SHA256:F0A594292DF82275EAAC4CB3EB32AE17A4612DF09D9C87F4E5D4B1D2535859C2
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI8048.tmpexecutable
MD5:36CD2870D577FF917BA93C9F50F86374
SHA256:8D3E94C47AF3DA706A9FE9E4428B2FEFD5E9E6C7145E96927FFFDF3DD5E472B8
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2binary
MD5:EA4C294F592B63E7CBB61EEEBEC249A1
SHA256:6A4DC3B1C0B9AFE9107FD891CF51CE20D29839DDCE87B4C6E815EB6BBCDCBB55
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\shi7FEA.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:D45E464F74563736227583E0B9EE3894
SHA256:E81791117F3BEE3DC45E0610B3642A267C177031174E4DC0ACB514EF6ADE239A
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:2D5B12AEA4AEDF4F5AD9EAAEF42D9CF5
SHA256:48F7C8B408FE7E044C3999C130320B5753DC2B4A391035EB872DB7E68D800166
6452HidHide_1.5.230_x64.exeC:\Users\admin\AppData\Local\Temp\MSI8193.tmpexecutable
MD5:65B853552E16654C53AB4D16920A9182
SHA256:80C5E769470BB98C5B1EC3BE0A9A51F0821C67E9ADC7E3E254BBC41183CEB76F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
42
DNS requests
12
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6452
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6452
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6452
HidHide_1.5.230_x64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sR33wtnOE7yQZOQX4O%2F0%3D
unknown
whitelisted
GET
304
2.23.209.179:443
https://r.bing.com/rb/4N/jnc,nj/WHBHN5CD2X9iLHkLc7Ck-5t1mtg.js?bu=FpIs1Cr8AeQq5yrqKuwqkSuaLOAr5RH6K4Asniz8AfwBgyjDK-MR2hHXK8gr&or=w
unknown
POST
204
92.123.104.59:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3
unknown
xml
171 Kb
GET
200
2.23.209.182:443
https://th.bing.com/th?id=ODSWG.TravelIcon&w=16&h=16&c=1&rs=1&p=0
unknown
image
718 b
GET
200
2.23.209.182:443
https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js
unknown
text
20.3 Kb
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16026.20140/Production/CC?&Clientid=%7b48BA7FDF-353C-4FE5-8D8F-9E31911A3891%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16026.20140&MsoVersion=16.0.16026.20140&ProcessName=officeclicktorun.exe&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b47034569-9376-4296-9A37-41A034BFC829%7d&LabMachine=false
unknown
text
334 Kb
POST
200
20.42.65.93:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4100
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1076
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6452
HidHide_1.5.230_x64.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4100
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.7
  • 92.123.104.32
  • 92.123.104.19
  • 92.123.104.17
  • 92.123.104.67
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.60
  • 92.123.104.31
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.158
  • 2.23.209.182
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.179
  • 2.23.209.177
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
  • 20.189.173.24
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r.bing.com
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.158
  • 2.23.209.130
  • 2.23.209.176
  • 2.23.209.135
  • 2.23.209.149
  • 2.23.209.150
  • 2.23.209.140
whitelisted
th.bing.com
  • 2.23.209.158
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.150
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.181
  • 2.23.209.177
whitelisted
vicius.api.nefarius.systems
  • 38.242.217.201
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
1 ETPRO signatures available at the full report
Process
Message
nefarius_HidHide_Updater.exe
[2024-07-31 18:48:44.752] [vicius-updater] [info] No local configuration found at C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefarius_HidHide_Updater.json
nefarius_HidHide_Updater.exe
[2024-07-31 18:48:44.753] [vicius-updater] [info] Extracted manufacturer nefarius and product HidHide values
nefarius_HidHide_Updater.exe
[2024-07-31 18:48:44.789] [vicius-updater] [info] Installation tasks finished successfully
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HidHide_1.5.230_x64.exe