File name:

a332be0b7ff7a111.exe

Full analysis: https://app.any.run/tasks/8b7e59ba-6cb2-4c95-9eae-f94d4c7ff8b7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 30, 2026, 20:27:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
etherhiding
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

4C2DB021EFF66F12D52EC0C15BE48795

SHA1:

35514E9510FB0ACE33EFF2DB89CB8F0408DBE729

SHA256:

5F2E0D2D327403257DC6233E6BF1B5A7225E472E80D139D8C2BD5EBC99DCC20B

SSDEEP:

98304:XwycG0wAnteK5qVKXYJdk/vKcP3bAFao6AGk4EY704Nt4Dz94aYTDu9OwokqZlkb:sSK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ETHERHIDING has been detected (SURICATA)

      • a332be0b7ff7a111.exe (PID: 1684)

    • Actions looks like stealing of personal data

      • a332be0b7ff7a111.exe (PID: 1684)

    • Steals credentials from Web Browsers

      • a332be0b7ff7a111.exe (PID: 1684)

  • SUSPICIOUS

    • Reads the BIOS version

      • a332be0b7ff7a111.exe (PID: 1684)

    • Searches for installed software

      • a332be0b7ff7a111.exe (PID: 1684)

    • Possible stealing from crypto wallets

      • a332be0b7ff7a111.exe (PID: 1684)

    • Possible stealing of FTP data

      • a332be0b7ff7a111.exe (PID: 1684)

    • Possible stealing of VPN data

      • a332be0b7ff7a111.exe (PID: 1684)

    • Possible stealing of messenger data

      • a332be0b7ff7a111.exe (PID: 1684)

    • Possible stealing from password managers

      • a332be0b7ff7a111.exe (PID: 1684)

    • Executable content was dropped or overwritten

      • a332be0b7ff7a111.exe (PID: 1684)

  • INFO

    • The sample compiled with english language support

      • a332be0b7ff7a111.exe (PID: 1684)

    • Checks supported languages

      • a332be0b7ff7a111.exe (PID: 1684)

    • Reads the computer name

      • a332be0b7ff7a111.exe (PID: 1684)

    • Reads security settings of Internet Explorer

      • a332be0b7ff7a111.exe (PID: 1684)

    • Creates files or folders in the user directory

      • a332be0b7ff7a111.exe (PID: 1684)

    • Reads the machine GUID from the registry

      • a332be0b7ff7a111.exe (PID: 1684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2021:06:12 20:08:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 229376
InitializedDataSize: 175104
UninitializedDataSize: -
EntryPoint: 0x481058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 24.4.684.9
ProductVersionNumber: 24.4.684.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Wireshark Foundation
FileDescription: Wireshark Network Protocol Analyzer
FileVersion: 24.4.684.9
InternalName: Wireshark.exe
OriginalFileName: Wireshark.exe
ProductName: Wireshark
ProductVersion: Version 24.4.684
LegalCopyright: © Wireshark Foundation 2025. All rights reserved.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ETHERHIDING a332be0b7ff7a111.exe chrome.exe no specs msedge.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1684"C:\Users\admin\AppData\Local\Temp\a332be0b7ff7a111.exe" C:\Users\admin\AppData\Local\Temp\a332be0b7ff7a111.exe
explorer.exe
User:
admin
Company:
Wireshark Foundation
Integrity Level:
MEDIUM
Description:
Wireshark Network Protocol Analyzer
Exit code:
0
Version:
24.4.684.9
Modules
Images
c:\users\admin\appdata\local\temp\a332be0b7ff7a111.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2436C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exea332be0b7ff7a111.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8128C:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exea332be0b7ff7a111.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
8156C:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exea332be0b7ff7a111.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
Total events
797
Read events
794
Write events
3
Delete events
0

Modification events

(PID) Process:(1684) a332be0b7ff7a111.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1684) a332be0b7ff7a111.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1684) a332be0b7ff7a111.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:2595E903FCB3B99996ADB2CC2BF504C8
SHA256:71CCD39DE69EC147AFD8AD4337A36829DCABABBF40897250380C7770DE551242
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4DDE684C7A4CC05C8501B5BBF5073B05
SHA256:50ABD362234D9B279B5D60AFB52EBF0F4BE69A107E333E2CA78E707915E5F439
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F7E54A916FE508125367A9BF86349Cbinary
MD5:41E9EFB6C2E6B75CDE28727FEE46CFB7
SHA256:B9CCCAD1543628F73B7A00695C4909E6D54A65594CFA25ECC234A0F71B3BEBE2
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:047F3E9D21D6B325D592B1959E4362E6
SHA256:D2BB091268ADE68AD8121D2184D0FBCE128070156304BD4DE312E6FBD267409C
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F7E54A916FE508125367A9BF86349Cbinary
MD5:43D8E26D60C50D2B3594BFB90066B902
SHA256:FB6671914274B2F8AE9E4D352D3B97359ED9A8301CAC2059FEC75E2C627E0100
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:7F924EAEA21BB91214FF7B4525F3BD29
SHA256:E718475014C8F51A8F2746FBE90A7BFF516B65BEF36EE6340A5FC746BC5DFC32
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:6DE08FDA34A350EBA9435D348380DA29
SHA256:FE3B8A7284EFDCD6E1659F8967AF5410B1EB8C0044B2C6E9150A193E49C4E81B
1684a332be0b7ff7a111.exeC:\Users\admin\AppData\Local\Temp\a332be0b7ff7a111.exe:lexecutable
MD5:4C2DB021EFF66F12D52EC0C15BE48795
SHA256:5F2E0D2D327403257DC6233E6BF1B5A7225E472E80D139D8C2BD5EBC99DCC20B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
26
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
a332be0b7ff7a111.exe
GET
200
142.251.20.94:80
http://c.pki.goog/r/r4.crl
US
binary
528 b
whitelisted
1684
a332be0b7ff7a111.exe
POST
200
104.18.10.59:443
https://polygon.drpc.org/
US
text
358 b
malicious
1684
a332be0b7ff7a111.exe
POST
200
188.114.96.3:443
https://proxy.oneterrace.one/app/metrics/gduib.oozr
US
text
4 b
unknown
1684
a332be0b7ff7a111.exe
GET
200
188.114.96.3:443
https://proxy.oneterrace.one/app/status
US
text
54 b
unknown
1684
a332be0b7ff7a111.exe
POST
200
188.114.96.3:443
https://proxy.oneterrace.one/app/metrics/gduib.oozr
US
text
4 b
unknown
1684
a332be0b7ff7a111.exe
POST
200
188.114.96.3:443
https://proxy.oneterrace.one/app/metrics/gduib.oozr
US
text
4 b
unknown
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7336
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
1684
a332be0b7ff7a111.exe
POST
200
188.114.96.3:443
https://proxy.oneterrace.one/app/metrics/gduib.oozr
US
text
4 b
unknown
1684
a332be0b7ff7a111.exe
GET
200
142.251.20.94:80
http://c.pki.goog/r/gsr1.crl
US
binary
1.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8000
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
1684
a332be0b7ff7a111.exe
104.18.10.59:443
polygon.drpc.org
CLOUDFLARENET
US
malicious
1684
a332be0b7ff7a111.exe
142.251.20.94:80
c.pki.goog
GOOGLE
US
whitelisted
1684
a332be0b7ff7a111.exe
188.114.96.3:443
proxy.oneterrace.one
CLOUDFLARENET
US
whitelisted
1684
a332be0b7ff7a111.exe
104.18.21.213:80
e7.c.lencr.org
CLOUDFLARENET
US
whitelisted
8000
svchost.exe
23.216.77.25:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.14.139
  • 142.251.14.102
  • 142.251.14.100
  • 142.251.14.113
  • 142.251.14.101
  • 142.251.14.138
whitelisted
polygon.drpc.org
  • 104.18.10.59
  • 104.18.11.59
unknown
c.pki.goog
  • 142.251.20.94
whitelisted
proxy.oneterrace.one
  • 188.114.96.3
  • 188.114.97.3
unknown
e7.c.lencr.org
  • 104.18.21.213
  • 104.18.20.213
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.30
  • 23.216.77.9
  • 23.216.77.10
  • 23.216.77.33
  • 23.216.77.18
  • 23.216.77.38
  • 23.216.77.34
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .drpc .org)
1684
a332be0b7ff7a111.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (polygon .drpc .org in TLS SNI)
1684
a332be0b7ff7a111.exe
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
8000
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a332be0b7ff7a111.exe