File name:

2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/2278ef96-6d1d-4966-adac-82d3d00dec91
Verdict: Malicious activity
Analysis date: March 24, 2025, 15:06:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

03AF5C4C381160615E3F0152F0DBFB7A

SHA1:

39CC79E446A63CEF50FCA06B791B2A34EC5128D6

SHA256:

BA9975D7B959933CA46C85FDE8DCFCC7E594950C4B87F05A5195C639866532FF

SSDEEP:

98304:iefUuZuKAuf5jTF0kOefUuZuKAuf5jTFrkHVrGDYwOwjefUuZuKAuf5jTFPkOefX:BD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 7876)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 7948)
      • cmd.exe (PID: 8024)
      • net.exe (PID: 6392)
      • net.exe (PID: 6724)
      • net.exe (PID: 3620)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 7992)
      • net.exe (PID: 6072)
      • net.exe (PID: 7036)

    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 8052)
      • net.exe (PID: 5008)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 7968)
      • net.exe (PID: 3620)

    • Uses NET.EXE to stop Windows Security Center service

      • cmd.exe (PID: 7992)
      • net.exe (PID: 7036)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 4620)
      • cmd.exe (PID: 8060)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7584)

    • Starts itself from another location

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)

    • Starts CMD.EXE for commands execution

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • Executing commands from a ".bat" file

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • Process drops legitimate windows executable

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • Executable content was dropped or overwritten

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • Windows service management via SC.EXE

      • sc.exe (PID: 960)
      • sc.exe (PID: 472)
      • sc.exe (PID: 7316)
      • sc.exe (PID: 7272)
      • sc.exe (PID: 7288)

    • Creates file in the systems drive root

      • UpdatAuto.exe (PID: 7800)
      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)

  • INFO

    • Checks supported languages

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)
      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe (PID: 7876)

    • Create files in a temporary directory

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • The sample compiled with english language support

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)

    • Reads the computer name

      • UpdatAuto.exe (PID: 7800)

    • Creates files in the program directory

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • The sample compiled with chinese language support

      • 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe (PID: 7692)
      • UpdatAuto.exe (PID: 7800)

    • Checks proxy server information

      • slui.exe (PID: 4464)

    • Reads the software policy settings

      • slui.exe (PID: 4464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (63.9)
.exe | Win32 Executable MS Visual C++ (generic) (24.3)
.dll | Win32 Dynamic Link Library (generic) (5.1)
.exe | Win32 Executable (generic) (3.5)
.exe | Generic Win/DOS Executable (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:12 04:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: 16384
UninitializedDataSize: -
EntryPoint: 0x27dc
OSVersion: 4
ImageVersion: 6.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.0.0
ProductVersionNumber: 6.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Windows Update Manager for NT
CompanyName: Microsoft Corporation
FileDescription: Windows Update Manager for NT
LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
ProductName: Microsoft(R) Windows (R) 2000 Operating System
FileVersion: 6.01
ProductVersion: 6.01
InternalName: INCUBUS
OriginalFileName: INCUBUS.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
48
Malicious processes
4
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe cmd.exe no specs conhost.exe no specs updatauto.exe cmd.exe no specs conhost.exe no specs 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs slui.exe 2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472sc config SharedAccess start= disabledC:\Windows\SysWOW64\sc.exe2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
960sc config srservice start= disabledC:\Windows\SysWOW64\sc.exe2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1760C:\WINDOWS\system32\net1 start TlntSvrC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2140C:\WINDOWS\system32\net1 user helpassistant 123456C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2420C:\WINDOWS\system32\net1 stop wscsvcC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
3620net stop wuauservC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4464C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4620net localgroup administrators helpassistant /addC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4696C:\WINDOWS\system32\net1 localgroup administrators helpassistant /addC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
4976C:\WINDOWS\system32\net1 stop srserviceC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
3 976
Read events
3 976
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Windows\SysWOW64\UpdatAuto.exeexecutable
MD5:A96169AA3B3224C240EE44157EA03609
SHA256:88CA0A089F0A3ECE0A9537C88E86079FCA9F7A3D95D269C956A1CD7E26646C9F
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeexecutable
MD5:D34A0E86096400F03520E03605151D13
SHA256:2B6E95928A5A592C95ACB4235707C47730F11A1224867C134B9F7382BBFAB478
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
MD5:
SHA256:
7800UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
MD5:
SHA256:
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\ntldr~6executable
MD5:A96169AA3B3224C240EE44157EA03609
SHA256:88CA0A089F0A3ECE0A9537C88E86079FCA9F7A3D95D269C956A1CD7E26646C9F
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeexecutable
MD5:8EC887D552BC320581003E1AAD7D2386
SHA256:3CD3B3EBA3F74F5BCF870857A087AE965D1306A9DDCE2869CF307D68DBC96DB9
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Users\admin\Desktop\2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader~4.exeexecutable
MD5:BAEDE5E132F93DC1924680C9BB406BA9
SHA256:5ED8881E4E0008D53E6F86232BE898A2D7A165EF351D78F3F98A8DDF40538D71
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeexecutable
MD5:AC2F8F39F2A96A2D3C799A0DF113561D
SHA256:09ED9E835FFB033D78C29B399E15C829EBF28488C2D8C2C8C7A6AB223BC74B65
76922025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeexecutable
MD5:DD94299EF9D488F825CE55C936EE77BE
SHA256:98A36689280081596E2057A2522FF53DB478F8BC5837D4A32CCF776ABEA1816C
7800UpdatAuto.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeexecutable
MD5:2BB62DBFEB6C7A4BF98A744464CCC807
SHA256:D36D041FD1F38871A6E8843F35E41064A11E665DE073EFFF3DC3A179A9ED62D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
17
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
svchost.exe
GET
200
23.48.23.144:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5084
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2920
svchost.exe
23.48.23.144:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4464
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
crl.microsoft.com
  • 23.48.23.144
  • 23.48.23.151
  • 23.48.23.147
  • 23.48.23.154
  • 23.48.23.155
  • 23.48.23.153
  • 23.48.23.161
  • 23.48.23.139
  • 23.48.23.156
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_03af5c4c381160615e3f0152f0dbfb7a_amadey_coinminer_hijackloader_rhadamanthys_smoke-loader