File name:

2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/8ad65d94-1d92-4258-a83f-36ba9c00c4c1
Verdict: Malicious activity
Analysis date: March 24, 2025, 17:55:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

EE5B391B5B179332E62AB55D609B6FF3

SHA1:

A6CEB880A917585E03C068FC1CF1737FFB083699

SHA256:

211BA4FF2B8767310114EFB3BD0F861BDC078BA5DE02ECBC0EA407E46C53C236

SSDEEP:

98304:iefUuZuKAuf5jTF0kOefUuZuKAuf5jTFrkHVrGDYwOwjefUuZuKAuf5jTFPkOefY:B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 5972)
      • net.exe (PID: 4188)
      • cmd.exe (PID: 4244)
      • net.exe (PID: 6752)
      • net.exe (PID: 208)
      • net.exe (PID: 7012)
      • net.exe (PID: 5324)
      • cmd.exe (PID: 6372)
      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 4756)

    • Uses NET.EXE to stop Windows Update service

      • net.exe (PID: 208)
      • cmd.exe (PID: 4244)

    • Uses NET.EXE to stop Windows Security Center service

      • net.exe (PID: 6752)
      • cmd.exe (PID: 6800)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 5304)
      • net.exe (PID: 4112)

    • Starts NET.EXE to view/change users localgroup

      • cmd.exe (PID: 2908)
      • net.exe (PID: 6576)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • Starts a Microsoft application from unusual location

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4868)
      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)

    • Starts CMD.EXE for commands execution

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • Executing commands from a ".bat" file

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • Starts itself from another location

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5176)
      • sc.exe (PID: 6564)
      • sc.exe (PID: 5968)
      • sc.exe (PID: 1276)
      • sc.exe (PID: 616)

    • Executable content was dropped or overwritten

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • Creates file in the systems drive root

      • UpdatAuto.exe (PID: 6272)
      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)

    • Drops 7-zip archiver for unpacking

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)

  • INFO

    • The sample compiled with chinese language support

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • Checks supported languages

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)
      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 4868)

    • Create files in a temporary directory

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)

    • The sample compiled with english language support

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)

    • Reads the computer name

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 4868)
      • UpdatAuto.exe (PID: 6272)

    • Creates files in the program directory

      • 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 4488)
      • UpdatAuto.exe (PID: 6272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (63.9)
.exe | Win32 Executable MS Visual C++ (generic) (24.3)
.dll | Win32 Dynamic Link Library (generic) (5.1)
.exe | Win32 Executable (generic) (3.5)
.exe | Generic Win/DOS Executable (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:12 04:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x27dc
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: Microsoft Corporation
FileDescription: Windows Update Manager for NT
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
47
Malicious processes
4
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs updatauto.exe cmd.exe no specs conhost.exe no specs 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs slui.exe no specs 2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208net stop wuauservC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
616sc config srservice start= disabledC:\Windows\SysWOW64\sc.exe2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
856C:\WINDOWS\system32\net1 stop wscsvcC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
864C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\Option.batC:\Windows\SysWOW64\cmd.exe2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1276sc config wuauserv start= disabledC:\Windows\SysWOW64\sc.exe2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1568C:\WINDOWS\system32\net1 stop srserviceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268C:\WINDOWS\system32\net1 start TlntSvrC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2284C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\Option.batC:\Windows\SysWOW64\cmd.exeUpdatAuto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
688
Read events
688
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
44882025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
MD5:
SHA256:
6272UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
MD5:
SHA256:
44882025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
MD5:
SHA256:
6272UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeexecutable
MD5:8EC887D552BC320581003E1AAD7D2386
SHA256:3CD3B3EBA3F74F5BCF870857A087AE965D1306A9DDCE2869CF307D68DBC96DB9
6272UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeexecutable
MD5:AC2F8F39F2A96A2D3C799A0DF113561D
SHA256:09ED9E835FFB033D78C29B399E15C829EBF28488C2D8C2C8C7A6AB223BC74B65
44882025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\ntldr~8executable
MD5:2E8A80680C91A2CC1615561F2B4D660B
SHA256:71B81E9E808CA9BE513D4849F5965D77719A7CEFE7D540D1A080E531A303D473
6272UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeexecutable
MD5:D34A0E86096400F03520E03605151D13
SHA256:2B6E95928A5A592C95ACB4235707C47730F11A1224867C134B9F7382BBFAB478
44882025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\ntldr~6executable
MD5:2E8A80680C91A2CC1615561F2B4D660B
SHA256:71B81E9E808CA9BE513D4849F5965D77719A7CEFE7D540D1A080E531A303D473
44882025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Users\admin\Desktop\2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exeexecutable
MD5:FA7FDFAD9004174AC70DE7EF32C92552
SHA256:7D84473A340FF09A5E64E88020B5EA77D947D18F455987594912163CF7FD2618
6272UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeexecutable
MD5:6B313D78B367E206A9D2C969813F3BF5
SHA256:199385D33D53F5143438182D569D11B6F4FF4BDB1CC3D8363B62F76FC99CF469
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
88.221.110.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
88.221.110.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2140
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 88.221.110.122
  • 88.221.110.114
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_ee5b391b5b179332e62ab55d609b6ff3_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader