File name:	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader
Full analysis:	https://app.any.run/tasks/92165dd3-2317-447b-a176-27fd0672fe68
Verdict:	Malicious activity
Analysis date:	July 06, 2025, 02:32:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	3E689E6F97D9A9F93A8F1A2088229EBD
SHA1:	1157C0F29154C16E2179CD9865E0718A76A16028
SHA256:	93CC5F6D6FC673CECE73C773779D7EBA6E9529AC2FD78C620D7F7546A6D373B6
SSDEEP:	98304:usR/sQUKg9QZbJVNKLGI+NwfqRtmV0IGafd6INejeBdpxAB0XVM/MGrKfQS8y/c8:JvwuCiM3

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:12:24 21:43:11+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	223232
InitializedDataSize:	135680
UninitializedDataSize:	-
EntryPoint:	0x25d1c
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	10.1.1.35
ProductVersionNumber:	10.1.1.35
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Intel(R) Corporation
FileDescription:	Intel(R) Chipset Device Software
FileVersion:	10.1.1.35
InternalName:	setup
LegalCopyright:	Copyright (c) Intel(R) Corporation. All rights reserved.
OriginalFileName:	SetupChipset.exe
ProductName:	Intel(R) Chipset Device Software
ProductVersion:	10.1.1.35


(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{3A86092C-3E9F-4184-821F-FBDED23A917F}
Operation:	write	Name:	Version
Value: 10.1.1.35
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{3A86092C-3E9F-4184-821F-FBDED23A917F}
Operation:	write	Name:	DisplayName
Value: Intel(R) Chipset Device Software
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\SetupChipset.exe
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleUpgradeCode
Value: {D8CA2E7A-5763-4161-82B8-F870F2BD4F2F}
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleVersion
Value: 10.1.1.35
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleProviderKey
Value: {5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleTag
Value:

PID	Process	Filename		Type
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\mbapreq.wxl		xml
		MD5:16D2BD521AC2ACD7BD590A9B35F843DF	SHA256:84D8C544A8E320BD4EB3472A582326142D7CA86794B930FE983C3822A6ACF263
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1032\mbapreq.wxl		xml
		MD5:9C21E76357218D33613174538EEA4120	SHA256:166801EFF4A826BF1B50CD24C0BE4B51717CC2B00F793FBC8CD8AB4B9AD6730B
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\BootstrapperCore.dll		executable
		MD5:86C4274A0E33EA0A53AF47E59D6F0840	SHA256:CFF83831665331462CC05DB5903F6ABC1EBF3532639A08A75A7BAFB184C8DF25
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\mbahost.dll		executable
		MD5:88235CC836ABA29A0704D87401083A3D	SHA256:8DAA7598A32917F6BDD34E00C5CFC0CDF81361BFFBF5CDE5F97F33F4DE0A9598
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\pl-PL\Bootstrapper.resources.dll		executable
		MD5:0F08412B93980060844FD6335D01B3A3	SHA256:00F23A1913974B24509E2920E8999F9C5B5DB1744071C34E0C0ECFDB130574BC
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\fi-FI\Bootstrapper.resources.dll		executable
		MD5:438BC7AD454F32CDC297840AFEC71A0F	SHA256:70DE0DB50694AB1FF9F5FC0BDE8A7F89148895D4A3C0A68AA37ECAD69D89DCFF
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\es-ES\Bootstrapper.resources.dll		executable
		MD5:EE1993324A6BFDB3F7BA55E8F312F5A2	SHA256:C001A8F3269FC2BA040AA3188FF27EF8043E1845B5D0F8A321BB0470F0CC76E2
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\Bootstrapper.dll		executable
		MD5:A1E19F047D9F44ECC574FBFD2E6EBD07	SHA256:C3A95995DC8B573AE933C42FC0469201FCE49B8FC5FB12DB6873319E35427A84
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1042\mbapreq.wxl		xml
		MD5:4D530FBCD8A7CF63A60D2D2E79C7880E	SHA256:00A5F823904E2D6849BB82F2170E798EB33898317FEC7C39E2AAC2452B900667
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\Intel.Tools.dll		executable
		MD5:7445473F73F50BD781AC5A9A544AD0B1	SHA256:F464394AF6815B133D9F8AE51078A33F44AD92C350E426DAF5E2C2395B307A09

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 2.20.245.139 2.20.245.137	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
login.live.com	20.190.160.130 40.126.32.134 20.190.160.64 20.190.160.131 40.126.32.68 20.190.160.20 20.190.160.3 20.190.160.22	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
nexusrules.officeapps.live.com	52.111.236.21	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader

3E689E6F97D9A9F93A8F1A2088229EBD

1157C0F29154C16E2179CD9865E0718A76A16028

93CC5F6D6FC673CECE73C773779D7EBA6E9529AC2FD78C620D7F7546A6D373B6

98304:usR/sQUKg9QZbJVNKLGI+NwfqRtmV0IGafd6INejeBdpxAB0XVM/MGrKfQS8y/c8:JvwuCiM3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Application launched itself

Creates a software uninstall entry

Uses RUNDLL32.EXE to load library

Starts a Microsoft application from unusual location

Searches for installed software

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Executable content was dropped or overwritten

Launching a file from a Registry key

Creates a software uninstall entry

Manual execution by a user

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings