September 22, 2021
People used to say that Linux was free from malware. Well, not only was it not true for the past 25 years, but we now live in an age where Linux is as promising a target for threat actors as some Windows endpoints due to its widespread usage as an operating system (OS) across many organizations. And, even more importantly, it serves as the OS for popular Internet-of-Things (IoT) devices. This article deals with the evolution of the Sysrv malware that infects Linux devices.
This blog post takes a deep dive into the Sysrv botnet, which first made headlines at the end of December 2020 and has continued to evolve since then. As of the time of writing, Sysrv is still active and has gone through several iterations, meaning its developers continued to enhance its capabilities. Our analysis shows how it evolved, gained new features, and changed its behavior up until today.
Overview of the Sysrv Botnet
The Sysrv botnet was first mentioned in a blog post by Intezer at the end of December 2020. It stood out due to its use of Golang (Go) – a relatively new programming language that a growing number of malware developers have picked up since early 2020.
Learn more about reverse engineering Golang binaries with Ghidra.
There are several reasons why a malware developer might choose Golang:
- Most importantly, Go has cross-compilation capabilities that make it a popular choice. It allows malware developers to maintain only a single codebase and then quickly build executables for various architectures.
- Golang binaries are considered harder to reverse-engineer due to their file size (many functions to go through). Also, few decompilers and disassemblers support Golang.
- Go is popular among developers thanks to its low barrier to entry, performance benefits, and flexibility.
- Leaked botnet source codes are available in Golang, such as the C&C (command and control) module for Mirai.
What is Sysrv
At its core, Sysrv is a worm and a cryptocurrency miner. The two modules were in separate files in its early versions, but its developers have since combined the two. The worm module simply initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services and tries to infiltrate the servers with a hardcoded password dictionary attack.
As Sysrv continued to evolve, it gradually introduced more exploits into its arsenal to enhance its worm capabilities. The malware propagation starts with a simple loader script file, which pulls down those modules upon successful execution.
The botnet is distributed for both Linux and Windows environments, but in this blog post, we will detail the inner workings of the Linux variant.
A Brief Timeline of Sysrv
Sysrv’s Technical Details and Analysis
The Loader Scripts
Two Sysrv loader scripts are circling for Linux and Windows: ldr.sh and ldr.ps1, respectively. Both achieve the same thing, even though they are written in different languages: the former in Bash and the latter in Powershell.
The first version of the Linux loader script had a few interesting functions like:
- Distribution server and ID were hardcoded
- 64-bit check (getconf LONG_BIT)
- Kill existing sysrv process (pkill -9)
- Enumerate processlist to see if sysrv process is running (ps -fe)
- Get function to download binary (curl, get, php -r)
As the development progressed, these features underwent significant revisions, and new, improved functions can be seen in the latest loader scripts. These new, enhanced features include:
- curl with a timeout parameter and five retries
- Exit if a 32-bit system is detected
- Kill running mining process (network01, kthreaddi)
- Edit crontab file to achieve persistence
- User-Agent changed to _ldr$bit and _cron
- If crontab command is not available install cron via apt, crontabs via yum and start the appropriate services
- Filtering for high CPU consuming processes and kill them if not sysrv or network01 (mining process)
- The loader script includes the Miner dropper XMR32/XMR64 and an XMR configuration file for the mining pool and crypto address
- Bash history cleanup
- Another mining pool in a config.json file
- Changing DNS resolvers to 126.96.36.199
- Hardcoded SSH key for persistence
- /tmp/ folder cleanup
- Kill processes listening on TCP ports 52018 and 52019
- Removing and renaming the iptables binary
- Aliyun AV software uninstaller
- Docker xmr image removal
- Checking for the presence of nvidia-smi tool, listing GPUs for cryptomining
Newer versions also include a reference to the IoT botnet operator group #keksec.
Ever since the first appearance of the Sysrv botnet, new scripts have been released every month. March and April were the most active months for Sysrv development, as new scripts were released almost every two days. The newest samples we examined appeared in the middle of September.
The number of new Sysrv Linux scripts per month:
Main Sysrv Binaries
In total, we collected 61 Linux binaries. All these files, except for one, are 64-bit executables.
We see a recent slowdown in the number of new Sysrv samples appearing every month; the latest ELF binary appeared on 20th September. After the initial samples were released, the most extensive binary development happened during March and April, just like for the scripts. Since then, only a few new samples appeared every month.
The number of new Sysrv binary samples per month:
Grouping the binaries
To aid our analysis, we first tried to branch out the investigation into smaller parts. A fundamental part was to try and group the observed samples by specific characteristics to see:
- How different the Sysrv samples are,
- How many variants there are.
As every Sysrv binary we discovered was written in Golang, we grouped the malicious binaries based on their package structures.
A package in Golang is a collection of source files in the same directory that are compiled together. All constants, variables, functions, and types defined in one of the source files are visible to every other source file within the same package.
Based on this, we grouped Sysrv samples into eight groups. There can be minor differences between samples in the same group, but their main functionalities and structure are the same.
To examine the package structures, we used Redress, a tool for analyzing stripped Go binaries compiled with the Go compiler.
Most malicious samples were packed with vanilla UPX, and during our analysis, we have not discovered any other packers being used by Sysrv. The malware authors didn’t use any kind of obfuscation for the earliest samples.
Reading the code of the binaries was relatively easy thanks to the tools that help reverse engineer stripped Golang binaries. We’ve already mentioned using Redress, and we also used Ghidra for static analysis and several Ghidra scripts that our research team wrote to aid Golang analysis.
Our write-up about how to reverse engineer Go binaries can be found here.
The first obfuscated sample appeared in April 2021, the only one that belongs to Group 8.
This sample also had obfuscated Go packages and some function names.
The obfuscation tool used is gobfuscate, a known utility for Go binaries:
Currently, gobfuscate can manipulate package names, global variable and function names, type names, method names, and strings.
Binaries released after that sample belong to Group 7. In these, some function names were obfuscated, but not the package names. Obfuscated names are used for the functions that are responsible for executing the various exploits.
Mutex is a synchronization primitive. In malware, mutexes are mostly used to ensure that the malware is not deployed to the target system already. This ensures that only a single malware instance is running at a time, as multiple instances might hinder each other, leaving the initially deployed malicious process to wreak havoc all by itself.
In Sysrv’s case, a check is implemented to see whether a hardcoded TCP port is open on the infected system. If it is open, the malware will not re-infect the system.
The appropriate functions are within the nu (network utility) package in all samples. A function called IsPortOpen is responsible for checking whether a specific port is open, and this is called from one of the following four functions, based on the version of the binary:
We have observed the following TCP port numbers being leveraged as Mutex ports:
- 52013 (0xcb2d)
- 52014 (0xcb2e)
- 52015 (0xcb2f)
- 52016 (0xcb30)
- 52017 (0xcb31)
- 52018 (0xcb32)
- 52020 (0xcb34)
- 52021 (0xcb35)
Exploits in Sysrv
Sysrv included a small set of exploits in its initial campaigns. Over time, as it was developed and transformed, Sysrv continually incorporated new exploits to spread more effectively.
Sysrv is primarily targeting Linux and Windows servers, not IoT devices.
Interestingly, we not only saw exploits being added to the code, but also some specific exploits undergoing several development stages. Sysrv’s developers updated some functions in multiple samples until they either reached a satisfying result or simply got rid of them. Some exploits were used only in one or two samples, while others proved useful and stuck around.
The Ignition Remote Code Execution (RCE) exploit has the newest CVE number; it was published in January 2021 and was already used by Sysrv at the beginning of March.
A list of Sysrv exploits
Exploits with the corresponding CVE number:
- CVE-2019-7238 – Nexus Repository Manager RCE
- CVE-2015-8562 – Joomla! RCE
- CVE-2017-11610 – Supervisor XML-RPC server RCE
- CVE-2017-12149 – Jboss RCE
- CVE-2017-5638 – Apache Struts RCE
- CVE-2017-9841 – PHPUnit RCE
- CVE-2017-3066 – Adobe ColdFusion RCE
- CVE-2018-7600 – Drupal RCE
- CVE-2018-1000861 – Jenkins RCE
- CVE-2019-10758 – Mongo Express RCE
- CVE-2019-3396 – Atlassian Confluence RCE
- CVE-2019-15107 – Webmin RCE
- CVE-2019-11581 – Atlassian Jira RCE
- CVE-2019-0193 – Apache Solr RCE
- CVE-2020-16846 – Saltstack RCE
- CVE-2020-13942 – Apache Unomi RCE
- CVE-2020-9496 – Apache OFBiz RCE
- CVE-2020-14882 – Oracle WebLogic RCE
- CVE-2021-3129 – Ignition RCE
- CVE-2019-9193 – PostgreSQL RCE
Exploits without a CVE number:
- Apache Flink RCE
- Apache NiFi Api RCE
- Apache Hadoop YARN ResourceManager Unauthenticated RCE
- Jupyter Notebook RCE
- MySQL RCE
- Redis RCE
- ThinkPHP RCE
- Apache Tomcat RCE
- WordPress brute-force
- XXL-JOB Unauth RCE
- SSH brute-force
Detailed Timeline of Exploits Used in Sysrv
Sysrv’s Mining Operation
The main goal of the Sysrv botnet is to mine the Monero cryptocurrency.
Monero is getting more popular among malicious actors. There are several reasons why Monero is a popular choice for attackers. Most importantly, its transactions are more difficult to trace and it can be mined using the CPUs of ordinary computers (whereas other cryptocurrencies require special hardware, such as application-specific integrated circuits – ASICs).
Even though Sysrv uses the open-source XMRig project to mine Monero, each group for Sysrv samples slightly differs in its crypto mining configuration. To see these differences, we extracted all miner modules and grouped them by their configuration.
Case 1 – Embedded miner, command execution
For the first sample, the miner was embedded in the binary using the go-bindata package. According to its documentation, “this package converts any file into manageable Go source code. Useful for embedding binary data into a go program. The file data is optionally gzip compressed before being converted to a raw byte slice.” The miner is embedded as a gzip file.
Once the embedded miner is extracted, it will be saved to the /tmp folder as network01. It will be executed with the following command:
/tmp/network01 -B --donate-level 1 -o pool.minexmr.com:5555 -u 49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa.linux
Mining pool: pool.minexmr.com:5555
Case 2 – Miner in a separate binary, script execution
For the samples in Groups 2, 3, and 4, the miner is in a separate binary and executed by the script files.
Case 3 – Embedded miners, configuration file input
From Group 5 until now, the miners are always embedded within the malicious binaries either in gzip or later directly as ELF files, using the same bin-data package we saw in Case 1. In total, three different mining binaries were used in these cases. All of them are executed with a configuration file as an input.
We extracted the configuration files from all samples and found the following.
Case 4 – WatchDog mining address
For one specific sample (SHA-256: 1c91ed47c3c0baa74fa15c9b02330701dd02fc1e9b44963e1fe9a650ef7b78ef) the mining address is different from the one that all the others used. This address is
, which was observed in WatchDog campaigns.
Case 5 – Proxying traffic to mining pools?
In recent samples attackers use a unique IP:port combination as the pool URL: 188.8.131.52:5443. The IP is the one from which they distribute the malicious files, and probably they use this specific port to proxy the traffic to the appropriate mining pools.
The Monetization of Sysrv
As one of Sysrv’s main objectives is to mine cryptocurrency on its infected targets, we peeked inside its monetization scheme.
Across the Sysrv malicious sample, Monero was the main cryptocurrency mined with a dedicated address:
We can check the account’s balance by browsing various mining pool sites:
At the current exchange rate of XMR-USD, the total XMR amount equals 4,060 USD. At a certain time, as many as four workers were mining cryptocurrency for this specific wallet at the rate of 30.31 KH/s.
We could also peek into some of the workers’ (victim) names:
This Monero mining operation started in November 2020 and is still active today.
Here the account was suspended due to botnet activity.
The total amount paid from the account was over 76 XMR, which is around 20,000 USD. The first payment happened on 28 February, just a few days after the release of the first malware sample to use xmr.nanopool.org (25 February). The last payment occurred on 2 July. The last sample using xmr.nanopool.org was seen at the end of June. From July, all the samples connect to the mining pool through a proxy.
Let’s take a quick look at the other account as well:
At the current exchange rate of XMR-USD, the total XMR amount equals 10,187 USD. At a certain time, as many as five workers were mining cryptocurrency for this specific wallet at the rate of 225.93 KH/s.
We can also see into some of the workers’ (victim) names:
This Monero mining operation started in November 2020 and is still active today.
The total amount paid is over 15 XMR, which is over 4,000 USD. The first payment happened in October 2020. It is still active as of September 2021.
Protecting Devices from Sysrv
CUJO AI Sentry, the multi-layer security solution for large network service providers, already prevents devices on over 40 million end-user networks from participating in the Sysrv botnet.
Tools Used in the Research
- VirusTotal – https://virustotal.com
- Ghidra – https://ghidra-sre.org
- Redress – https://github.com/goretk/redress
References and Further Reading
Sysrv Indicators of Compromise
We have shared the Sysrv indicators of compromise on GitHub: https://github.com/getCUJO/ThreatIntel/blob/master/IoC/sysrv_ioc
Distribution servers: 185[.]239.242.71 45[.]145.185.85 finalshell[.]nl 31[.]210.20.181 31[.]210.20.120 31[.]42.177.123 194[.]40.243.98 194[.]145.227.21
Monero addresses: 49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4
Pool URLs: pool.minexmr.com:5555 xmr.f2pool.com:13531 xmr-eu1.nanopool.org:14444 xmr-eu2.nanopool.org:14444 194[.]145.227.21:5443
Packed ELF binaries: 1a63f7a38c7f5a5cc770246c958aea70ea95bcafac1bad92d2d524f4fe24c1ca 67f03f3065ec012cd8853e9d1b11cb441741910a24cb23ea652fb63d7219ebaa 720341984c842070dcc925cb47127aba35e16971cf7d532cc2efb24b98d56c93 82db3a4201e287cc31d029c0a514f23278723c3ed4836c70cd08e3239a5dec8a d0bb0cb6f1cce7605527989e589033256bfb6b7903832ff3ea1b3e8752ea9f78 8353823b0dc71e1feec1a2ba5e509966d5dae7f5105489c1e628baa73b314d76 9d85b4e7202521d435a871b7de5f8affd30603687cf6e6f39f1420e9223b2bea dd5b4de5a1c68aad5a2efb08db55cb3e09f8ddffc19c95c1ecf9d06c6edf2d40 1384790107a5f200cab9593a39d1c80136762b58d22d9b3f081c91d99e5d0376 bcb02047374196acdf0285a656a8d378cecd6115c403d0bc9f743b4e3ffd6fed dd31b774397c6e22375d4f2fe26e38e82ae164bc73cf58314b18b8eed26802f0 0c13b3528088c308ac28971fba93939c66da2eabef66a4d3790c0b1817221535 beaa0639a67f7fc7937a100f01a550ecb8c8b608251f4d02a97d9a0a15de1304 9c9b7da616239290db831a9305e1a46d45c112c761deaea5ed4c36aea7433891 72483800c412e2204731b12c9d8fff1bc84f7af8f0b258299bb4f091a57ab23a 5f5d599d4d0f9149440a6f813c6db3759d4fdbf7abe991c3af3aa59dc8c4027f 7a546057a47ee02f6436e51d6d61f1b63c525307f9b5076a8edfe2cf4ae68769 a999d7f95af4084b1e4276ee329e9b466c4d88a14cfc87007587d18a4a6c9f8a 1dd2c66843fcf5512b4dda518c2d5010edf06ab701f0380777b1b305ce9c98b0 bf2c450d4d3519de51fbd31def04a0e6786e13a568ddefcaa62d812cc72ffc4c e627aff93c1e095786b5a5248425ec62c1ea8b049d487cfa6e9cfdf2a0ddbd7b d42090b274d285e759de296239bd7b8e5d97270b2d2ae189aed80e68ba82b591 3ea2df69b99f78fc0768ecf8190293f2b277b6de6e7b8e668f40b8a4910df17c ba46915f06d99c4dbb9d07767a86e979893f46333a8a93fce6e040452dfc1155 9b2023a0e22f22860a7a46a67c9eba2c4831db66244603fd961fbb5c38b55272 8223164dd8e2c7d6b2f0da63639186564335ba6a1bfc11cf31493d5c48f3abaf f487b23309808e468889baf10c852284b7833b8ac06fd405d1b19abafc8e17fb 18a877f11f2ba2d7ae05ee8644a5cbd687282df4010dd0cb7680aec2e00d98ce 5208cda8463eee0ac2cf0273dcd4036aa1e2be0de2c45b4ffd71e4c92bac3f2b 22ef90a2b3c23d3c890358fff4ec1210e4ceaaf46d8bef525294151b0e88ce15 4fd37fa6ccf027e11409e3ca3b8109b2830cb3d7842303e67e6d0c087ae1b419 848ed7e90c767e7ab2b1a93f9b8ca9c41eb02c3c76bf8b7dfd806fe26c1f431e 296d3d3ed5feeda7f6d99adc9da2566cb6c460194066acccac941a7b09bedfc3 1c91ed47c3c0baa74fa15c9b02330701dd02fc1e9b44963e1fe9a650ef7b78ef 7ff5f2b3145d1e54a84f5bcc13ae6838baac2d6c20951d19608166833753d96f 544d20fc286d0803dee86a9c34b4c348333e320a4e33fd2730079701cb6e108f c55706ddbfdcecf77f225e711463f50d7da127818ee93a6be10836e4c1662393 95f9faf8a4ef5db4a3e60d577287e18fbbe32336a3b98c256da601645b674c74 89bc80a0bca059535741063ea882c1602cb369af7deea0e45e982b33faa10a68 4d6e5c861f04ed4a14195e29e60f6efba03c05bc213c3a6cffe0f0116a013e5b 798d1292b97eddc2b92a017f2599cf3f3e26e0695e2c2a27b897a483b32d9753 97106c8ca7af1cce73527e8cee2db6a923b257dc8b741ef3e05ecc52468413cc dec628d38b1cece3a980e56813cc3000bdc4d92a08bdf7892961655f1e2e91dd 945cd9e2d05e525417d48c3b18f8b2b953f468ff2f26ddeec4f456812719922a 04c1fe3bf04ebf65d38987f3d1a728684970e88503fa075e2d0b8bbbe98a14cb 0b6037eadb03feed5eb6c67ef4a68e80c64cf619670c6e3187ba076a017c4c85 81e5beaf5683b92b1a238a909805bd02298830dc90d383facdebdb170230ec34 1b2909eda77c14b559b06a68a794868989b7e38c9ca185a3180c63e5c38622b5 c7e136001338f2921fc6bbd67e1de8d4a5098b02eab55a47aa3bff2fa7ad8b77 3a6b7ee9503a90c5c5735c2867586b0dfc38e1e148d7f6d902f13e298362fc45 5f1d1141da3fe3261edf03c6be1625fe8c8443bdb5381252658100b4f296df6e 2fa5832e8b73a6f585f937f396d7b430d35d23ea607d10649a40989068c6c923 163ef20a1c69bcb29f436ebf1e8a8a2b6ab6887fc48bfacd843a77b7144948b9 03e3859f2109215e347b93c4df95bb1a2d402280a5ec870c4c74422db83d7ffb 41dbb7871093a6be9acc7327bc7a7757df2f157912ff5649b01390307283bb53 7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0 af7c5617a89c40aac9eb2e573a37a2d496a5bcaa9f702fa919f86485e857cb74 5fc4c90fae41a53ef41cac0ef2c0c7f4076d8ac3e49bf71daaebe584eb03ea91
Embedded ELF miners: 3144e5eb401f51f957f6821c201d5135f8627bbf2dab054d962fceaca45b3a04 d3e72cdce785505117cf6599513344faffec3400099c47725991498e2f06d2eb 67e38438759f34eaf50d8b38b6c8f18155bcc08a2e79066d9a367ea65e89aa3d 31ebd33606ee9d58cf2c641d583bebe2d8bd5c374d1f988510c953bfa24a05c0
Embedded GZip miners: 9b1a79cf787e04ce8a017ca547e1a53431ddb77259982d36f7ebf3d2d6b20c16 19314b1c99da65ed22534a2e059fcdcc30a495247dc76eed79e583fd2df97735 a01eb03f5cb206bb27574952725a56a5552b8826603aaf6fea1a4be6ecb187b4
Separate XMRig ELF binaries: d1e4fb661716aa79351fdb86c6a364a4a52a86d85ecf91afff052abdfc168b5b 2ca7ac7c1884004ea3ce310e2ed8bc23ecb0e26826aff48e4662809cc4299350 d3e72cdce785505117cf6599513344faffec3400099c47725991498e2f06d2eb
Linux Bash (sh) loader scripts: 752f181073449404df442a56b067951a8ed5a5419129ca5a416e80c376295b54 8f421d90d2697cc38d24858ab894a119719a217157c151eaf9fe9ff55f6387a5 1d42661ed8ee86d6329d27158ba9d1cf6291b1d3c6554ba50b683643f0b89959 0703482c9cfd573924c028db0a2563b7e936993a345ad6d92e9cff73030cebc5 f674e83e44bbb3ddf76c3622b9b8b0be16edf60f4021a91b5959e528684c481f f36b692e27631a5cc96f705ad06fa4496b70fc59c4ed3b6f9a2efffff503975c 472fa4d13d8d71762af7fe5d574ad0d7c7c2983d228fd0944f0ee706e5b9d551 774fad3fd2c7add5842b58c1127b9061d38027debcd3917910a8ec6b6aec9d08 b480b65704fb998bafa8893221e691daa906a80206196eda1ac3c0cdcc5c1c49 03e1806272242fae788c8728bc5796482890601839c0c5012855424ce253c95d 30c3965452d35eab07243e2b193a3de678c1be6719753ed00b164785ae57ea98 0783a9793100e6a32b21183239f955989c8901d18260092309efae91ccc075da 2d1b6deaccca69f67a6a207ecebb0010e62cd4d87298374c957236c78606f62e 6a77d927c3e749c92b3f8847804c0de509050ad24aaf72519314df9226c3acb0 6cab9f43cf738ba5ca9fb519f898f6ae10b11391d76191c395fe2c5bcbe5c100 58d96898ae28a806c8056799d703cad8a5bac95772458512395f77b8b6f73585 af279402867f3ef8d9e8bacde3aff359b1c6f3f2d581b914f12cb9d914199a0d b7e06689bde2614505a70cd0b4be24688be78d05057a134cc3f16919763bf65f c07838598435a26f658654db4ce816914e6cfe70056382471362407d6093e1fa a41f2f0d431e750e911fc8f70c8b764f141f19fef2e6b0b70192d502d59ae39a 41abb26f7c6dbc59ed4fc9f323211b4d422937700d866a7c5d12625f85fe6be6 0015ff5fdce5e2523780350b60481c5c77e567425ef6b3be7569f557b4b70539 4e485aa3bd66a62976b664af7d1060141610d91d0b2a24069db3835b35a3288b 6464434e5040b6bab0dd8b55b906dc1d068a21de5684e75e5eb51aa2608ef0ad 1f9fe85cb54c42dd41936ba0dc0772181ea9568cba13ccf68192e1de61abb5e8 ac0d8aceb01077b5ff3de02c6c63971054104bedabf3732ed169646a3f7e10e9 54419989e90f0281068a8b5e23715180682b61b70efb4aebc18562bd34cdd2a8 0352699e6b5fdaf7e88a862947bd8a764b3cad0e4d2e9388fd26f4316eb98d9a ac229564c2027f2a941f91e2cd69e92d83ae11fdf855e22959366614ae8f2300 f8b3ee42481fa87a1f2cd671abbe02ae246b8f60cacc0b69530d2f83a8f7c645 3cb6ffb62188958e4fbecdc082c344c8c40cabc76d3d9da60f4a2d28f9a297bd f8cd3952a3f077530ecd2e4095de19e98c34b90e5843214e8c209db508b4661e 6df1ade14e31ad4a97f25b4fd17402f77d55e7e1ebd8c8ee49d637cf4201787d 70573eb2a3533f82147f340a574f94dfdb8612a1d4c0c0a4b41ff7100b4cf2a1 5196c1a9a8f5a954762fac2d29700ca7ac919cdcd4ee18dd59d8b68923186742 ae397202fd8b593c41825d484ab93abe2af6327dda1618cf6f1f636a5f5b14e6 b5dd691f864fb3d81e83fcad6a2d449e88cdfa11885e3e03b6c666be4a6f1588 28e9b06e5a4606c9d806092a8ad78ce2ea7aa1077a08bcf3ec1d8e3d19714f08 dfbe48ade0b70bd999abaf68469438f528b0e108e767ef3a99249a4a8cfa0176 11fb436d9ae73760b8c94dda494acb532b3df0508ab6bf8d705509d3222e590b bf4eee2369e975873900ba8c647877e0a906fc3ef05dac8cbe102d89b08efcf9
Windows binaries: 15e0b4302902a425dcd0476a60a0d96a17c5a6cdd9fe13c2d09c5055e48178e4 24a84889f53b65b6738dd0194ff6d15f6ae227e37a91a4589ba51ce1f019a4f8 e51e35ce9737838d1a26be7285ba78a137d11c6725382944f34bde86f16cc893 be8d067e762c5da8e616f62e882881b82c8627943bdf006e304fd9a4f784763f 588b0838cc4c0fc64bfc1e5eeab2c9a59248e4e28a859ecbbac6bfe88bda703d 5c902be344f9e089e60c36bbe3345fb5bd9c3c0b4cec349a6bb18da7faef0908 98e10d9c5bfd7a26ff3eb68d232109b6fbe0b0ec39f763f574301fb55e52a067 0f02a4180528a850cf24310f2e88c365695e35adbe6ba023288283599348b16d d8336694afc213433470e9481de2f5d3f57dbeaf5763f62d137be103f63c45dc 9fd4fbab33dbedf48706096ab4ae19e25648f33d2e9fba62118fea726c918848 8d0585970d1f6996ee8a034ee1f482bb0df32599e618312c0830e2fb04b6af5a 064869b60b9cdb2b39daa30280770e63d9151fe3cc9f6db3813953cd71bdba8f 4a588b7f30c91dd5603ffb0ea48cbd9f589f44b7fcb980b9bb9959d87dd344ad f115f7826b7857be4522b84a17077a49d0ec0835010da31060acf85bab87778c 80bc76202b75201c740793ea9cd33b31cc262ef01738b053e335ee5d07a5ba96 fb5b082b6074064ff95d8501d568f3bbbd161218b170a273aeeb27e8ed44cb74 3db5b68b127a07ec6465b706efb640acc8e6303f9a17a763caacdde9116ec825 41d0b9107fb81d3101e5d54598e5a55d363e2b99128759e51e029ed29e17af2b 881f85d17b6f4e1f403804bbba413b4246ec7fba1724e4852ea517c19641fb8c
XMRig Windows binaries: b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09 bac8a452547ae6690c56c2fc5274d55d13e8c063e615f2f964cc8413ba5c640c
Windows Powershell (ps1) loader scripts: 934b422f0b8d26bd1c094bd532ddd947a702262c27991d757a9a6e3672014e98 73366b91ed479f3394fe2f211edac36df0e90d6be41b7ee0559582a324484e40 28dcdabaab2837b944a260048792ee4141ab0b3061637d7b9097706292c76877 d8a0ad2486c9662c8ac8c4370c7986bdc02dc6bdb8155dcc537f10dd00252d1d c60efd92c248739daacab90eb5d9e00326986b0396ddbfce845ae47cab85e30f c68673f97007712f90d727d0ac2b0e2bb9077f2f4cf1c3c68d0b74253fccb59f 322e0f41c42a08fcd6ff0400388bd577affd545196da597ce7c11869ed2fe059 4b3127cf8e3f2ba1726d3d4ceb61b6899c76c2fdfdd7a8f1cc8fcfa0a6d243f7 093b72e9b4efcc30c1644a763697a235c9c3e496c421eceaac97d4babeba7108