» hw64.exe
Overview
Analysis
File Details
Network (4)

hw64.exe

The executable hw64.exe has been detected as malware by 23 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address xmr.crypto-pool.fr on port 80 using the HTTP protocol.

File name:

hw64.exe

MD5:

d31d88cdb413f3751f2c47efcdb71bfd

SHA-1:

937b5065b396c19a06ee700c74925735916d4b19

SHA-256:

caeb65367a8d7fa5a07986845036b7dcd4b631787ac3932fe2dd08c3ff427111

Scanner detections:

23 / 68

Status:

Malware

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/22/2025 12:12:08 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11477218

843

Agnitum Outpost

Trojan.BitMin

7.1.1

AhnLab V3 Security

Trojan/Win64.ADH

2014.10.13

Baidu Antivirus

Trojan.Win64.BitCoinMiner

4.0.3.141015

Bitdefender

Trojan.Generic.11477218

1.0.20.1440

Emsisoft Anti-Malware

Trojan.Generic.11477218

8.14.10.15.06

ESET NOD32

Win64/BitCoinMiner.AH (variant)

8.10551

F-Secure

Trojan.Generic.11477218

11.2014-15-10_4

G Data

Trojan.Generic.11477218

14.10.24

IKARUS anti.virus

Trojan.Win64.BitMin

t3scan.1.7.8.0

Kaspersky

Trojan.Win64.BitMin

14.0.0.3099

McAfee

Artemis!D31D88CDB413

5600.6977

MicroWorld eScan

Trojan.Generic.11477218

15.0.0.864

NANO AntiVirus

Trojan.Win64.BitCoinMiner.devhlj

0.28.2.62483

Norman

BitMin.A

11.20141015

nProtect

Trojan.Generic.11477218

14.10.12.01

Quick Heal

Trojan.Win64.g9

10.14.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

15.3.13.1

Rising Antivirus

PE:Trojan.Win32.Generic.17075C88!386358408

23.00.65.141013

Trend Micro

TROJ_GEN.R0CBC0EH414

10.465.15

Vba32 AntiVirus

Trojan.Win64.BitMin

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

33862

ViRobot

Trojan.Win64.A.BitMin.4550144

2011.4.7.4223

File size:

4.3 MB (4,550,144 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\hw64\hw64.exe

File PE Metadata

Compilation timestamp:

6/28/2014 1:18:48 AM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.23

CTPH (ssdeep):

49152:MddcUaEj6mo+mmmj9S4s+uTTy5zil0jcz2MA4GjQUsiVJ7/fmulpMH+95wLsgEki:lUP8U+K6PhIEBfpaapR

Entry address:

0x14C0

Entry point:

48, 83, EC, 28, C7, 05, 62, 9B, 45, 00, 00, 00, 00, 00, E8, 6D, 20, 28, 00, E8, A8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, C3, 66, 66, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 83, EC, 38, 48, 8B, 05, CD, 5B, 45, 00, 48, 8D, 48, E8, 48, 8D, 54, 24, 2F, E8, B7, EF, 31, 00, 90, 48, 83, C4, 38, C3, 90, 48, 83, EC, 38, 48, 8B, 05, A5, 5B, 45, 00, 48, 8D, 48, E8, 48, 8D, 54, 24, 2F, E8, 97, EF, 31, 00, 90, 48, 83, C4, 38, C3, 90, 48, 83, EC, 38, 48, 8B, 05, 7D, 5B, 45, 00, 48, 8D, 48, E8, 48... 
[+]

Entropy:

6.4571

Code size:

3.4 MB (3,582,976 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to bbr.crypto-pool.fr (212.83.168.39:80)

TCP (HTTP):

Connects to xmr4.crypto-pool.fr (212.129.44.154:80)

TCP (HTTP):

Connects to xmr.crypto-pool.fr (212.129.46.76:80)

Remove hw64.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.