File name:

_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe

Full analysis: https://app.any.run/tasks/416d43a4-4993-4a01-a510-23ecd7e312ed
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 06, 2026, 15:57:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
etherhiding
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

7B3A1C044988D30719204F60C325617B

SHA1:

60A1DBFA7BE60508AAFCE69E6CEDAEA6FDC67E44

SHA256:

8EECC9F79B03B29A6853441A08FD6AC28B77A509AA2FFE3B10174328CD9E7068

SSDEEP:

196608:gyw74ta7japxN4nIIDRwVhbjDUNOOhX6pEWCvzyxC:gyESHwRUhPDUNOOhKpEWCbGC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ETHERHIDING has been detected (SURICATA)

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Actions looks like stealing of personal data

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Steals credentials from Web Browsers

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Possible stealing of VPN data

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Searches for installed software

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Possible stealing from password managers

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Possible stealing from crypto wallets

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Possible stealing of messenger data

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Possible stealing of FTP data

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

  • INFO

    • The sample compiled with english language support

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Checks supported languages

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Reads the machine GUID from the registry

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Create files in a temporary directory

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Checks proxy server information

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)
      • slui.exe (PID: 2428)

    • Reads product name

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Reads Environment values

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Reads CPU info

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Reads security settings of Internet Explorer

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Creates files or folders in the user directory

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • Reads the computer name

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)

    • There is functionality for taking screenshot (YARA)

      • _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe (PID: 8624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:09:28 21:40:25+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 22160384
InitializedDataSize: 50414592
UninitializedDataSize: -
EntryPoint: 0x14d207c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.5.4273.278
ProductVersionNumber: 4.5.4273.278
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: WiFi Manager Standard Driver
LegalTrademarks: Konica Minolta. All rights reserved.
CompanyName: Konica Minolta
ProductVersion: 4.5.4273.278
ProductName: WiFi Manager Standard
LegalCopyright: (C) Konica Minolta 2021
InternalName: vid9625
FileVersion: 4.5.4273.278
OriginalFileName: vid9625.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ETHERHIDING _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe chrome.exe no specs msedge.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2428C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3352"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
8624"C:\Users\admin\Desktop\_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe" C:\Users\admin\Desktop\_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
explorer.exe
User:
admin
Company:
Konica Minolta
Integrity Level:
MEDIUM
Description:
WiFi Manager Standard Driver
Exit code:
2147483651
Version:
4.5.4273.278
Modules
Images
c:\users\admin\desktop\_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
9044"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
7 232
Read events
7 229
Write events
3
Delete events
0

Modification events

(PID) Process:(8624) _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8624) _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8624) _8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8624_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeC:\Users\admin\Desktop\_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe:x
MD5:
SHA256:
8624_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\health[1].txtbinary
MD5:C76A5E84E4BDEE527E274EA30C680D79
SHA256:96879611650F80A81392A52E0DB9B0237669087C4518E1C130E541A505E0EEEF
8624_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exeC:\Users\admin\AppData\Local\Temp\aac55z69ex1ibrs3.nodeexecutable
MD5:629F0517B58E26A3DF5E01888C39AD1B
SHA256:D5FD3CF3690865685814A77FC82524CF7FC5DA288D8AC119283ECBEAE4B8E00B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
43
DNS requests
14
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
104.18.10.59:443
https://polygon.drpc.org/
US
binary
358 b
unknown
GET
200
188.114.97.3:443
https://bapesta.akjqdf.xyz/health
US
binary
6 b
unknown
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
POST
200
104.18.10.59:443
https://polygon.drpc.org/
US
binary
358 b
malicious
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
GET
200
188.114.97.3:443
https://bapesta.akjqdf.xyz/health
US
binary
6 b
unknown
POST
200
188.114.97.3:443
https://bapesta.akjqdf.xyz/adb8a56294dadf33644cb54a090cb9f6/ybzel.avju
US
binary
4 b
unknown
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
POST
200
188.114.97.3:443
https://bapesta.akjqdf.xyz/adb8a56294dadf33644cb54a090cb9f6/ybzel.avju
US
binary
4 b
unknown
6320
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
184.86.251.22:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6320
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6320
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
  • 20.189.173.17
whitelisted
www.bing.com
  • 184.86.251.22
  • 184.86.251.17
  • 184.86.251.27
  • 184.86.251.7
  • 184.86.251.9
whitelisted
google.com
  • 142.251.36.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
polygon.drpc.org
  • 104.18.10.59
  • 104.18.11.59
malicious
bapesta.akjqdf.xyz
  • 188.114.97.3
  • 188.114.96.3
unknown
activation-v2.sls.microsoft.com
  • 48.192.1.64
  • 48.192.1.65
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET INFO Observed DNS Query to Blockchain RPC Domain (polygon .drpc .org)
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
Misc activity
ET INFO Observed Blockchain RPC Domain (polygon .drpc .org in TLS SNI)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
A Network Trojan was detected
ET MALWARE EtherHiding Exfil M2
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
8624
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_8eecc9f79b03b29a6853441a08fd6ac28b77a509aa2ffe3b10174328cd9e7068.exe