File name:	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader
Full analysis:	https://app.any.run/tasks/92165dd3-2317-447b-a176-27fd0672fe68
Verdict:	Malicious activity
Analysis date:	July 06, 2025, 02:32:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	3E689E6F97D9A9F93A8F1A2088229EBD
SHA1:	1157C0F29154C16E2179CD9865E0718A76A16028
SHA256:	93CC5F6D6FC673CECE73C773779D7EBA6E9529AC2FD78C620D7F7546A6D373B6
SSDEEP:	98304:usR/sQUKg9QZbJVNKLGI+NwfqRtmV0IGafd6INejeBdpxAB0XVM/MGrKfQS8y/c8:JvwuCiM3

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:12:24 21:43:11+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	223232
InitializedDataSize:	135680
UninitializedDataSize:	-
EntryPoint:	0x25d1c
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	10.1.1.35
ProductVersionNumber:	10.1.1.35
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Intel(R) Corporation
FileDescription:	Intel(R) Chipset Device Software
FileVersion:	10.1.1.35
InternalName:	setup
LegalCopyright:	Copyright (c) Intel(R) Corporation. All rights reserved.
OriginalFileName:	SetupChipset.exe
ProductName:	Intel(R) Chipset Device Software
ProductVersion:	10.1.1.35


(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{3A86092C-3E9F-4184-821F-FBDED23A917F}
Operation:	write	Name:	Version
Value: 10.1.1.35
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{3A86092C-3E9F-4184-821F-FBDED23A917F}
Operation:	write	Name:	DisplayName
Value: Intel(R) Chipset Device Software
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\SetupChipset.exe
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleUpgradeCode
Value: {D8CA2E7A-5763-4161-82B8-F870F2BD4F2F}
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleVersion
Value: 10.1.1.35
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleProviderKey
Value: {5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
(PID) Process:	(3844) SetupChipset.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}
Operation:	write	Name:	BundleTag
Value:

PID	Process	Filename		Type
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1043\mbapreq.wxl		xml
		MD5:D82150BEE4CC7CEBFFA96CDF3762E320	SHA256:41D9D9363935702730A09FA9FEDF730CEBC51DB962E05FA4B05841840895C92C
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1030\mbapreq.wxl		xml
		MD5:AA3E13A2DAA064E8DA8CF2F4ACC25900	SHA256:90680E9500A2014137D92EA0988B92EC34648D6826F18C9646A318E26BD1A511
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\BootstrapperCore.dll		executable
		MD5:86C4274A0E33EA0A53AF47E59D6F0840	SHA256:CFF83831665331462CC05DB5903F6ABC1EBF3532639A08A75A7BAFB184C8DF25
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\mbahost.dll		executable
		MD5:88235CC836ABA29A0704D87401083A3D	SHA256:8DAA7598A32917F6BDD34E00C5CFC0CDF81361BFFBF5CDE5F97F33F4DE0A9598
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1042\mbapreq.wxl		xml
		MD5:4D530FBCD8A7CF63A60D2D2E79C7880E	SHA256:00A5F823904E2D6849BB82F2170E798EB33898317FEC7C39E2AAC2452B900667
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1044\mbapreq.wxl		xml
		MD5:DE3ACE5CD8E4CE57B6D3379AE9E66540	SHA256:AE7AA89299F00E43364D2627B46B78DC04F80279D8A0D905A8517C322115D21F
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1032\mbapreq.wxl		xml
		MD5:9C21E76357218D33613174538EEA4120	SHA256:166801EFF4A826BF1B50CD24C0BE4B51717CC2B00F793FBC8CD8AB4B9AD6730B
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\1038\mbapreq.wxl		xml
		MD5:F40A084C4B41D752A5C518D62ABD12E2	SHA256:43E00163C060A09C66AE65BDABD5A9943C55BBE8D11F8DDF95BA20008A605075
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\mbapreq.wxl		xml
		MD5:16D2BD521AC2ACD7BD590A9B35F843DF	SHA256:84D8C544A8E320BD4EB3472A582326142D7CA86794B930FE983C3822A6ACF263
2120	2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{5f5c7829-a6ba-4fc6-9f47-d068f51ed99b}\.ba1\sk-SK\Bootstrapper.resources.dll		executable
		MD5:D41EE6024FDF4B4CF028D143AED6ACA0	SHA256:7D3BEA2AF483A87D2E2832CE2BE8564E76C266EDE6489AEDD781AE244869C6D0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	20.190.160.5:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 2.20.245.139 2.20.245.137	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
login.live.com	20.190.160.130 40.126.32.134 20.190.160.64 20.190.160.131 40.126.32.68 20.190.160.20 20.190.160.3 20.190.160.22	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
nexusrules.officeapps.live.com	52.111.236.21	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-07-06_3e689e6f97d9a9f93a8f1a2088229ebd_amadey_coinminer_elex_gcleaner_smoke-loader

3E689E6F97D9A9F93A8F1A2088229EBD

1157C0F29154C16E2179CD9865E0718A76A16028

93CC5F6D6FC673CECE73C773779D7EBA6E9529AC2FD78C620D7F7546A6D373B6

98304:usR/sQUKg9QZbJVNKLGI+NwfqRtmV0IGafd6INejeBdpxAB0XVM/MGrKfQS8y/c8:JvwuCiM3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Creates a software uninstall entry

Reads the Windows owner or organization settings

Uses RUNDLL32.EXE to load library

Starts a Microsoft application from unusual location

Application launched itself

Searches for installed software

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Creates files in the program directory

Launching a file from a Registry key

Executable content was dropped or overwritten

Manual execution by a user

Creates a software uninstall entry

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings