josh_bdn

Below is the vulnerable driver being used. It's ancient; circa 2008, and appears not be on Microsoft vulnerable driver list. Or as I suspect, it's a device driver.

According to the VT analysis, it's deploying and using a vulnerable driver, WinRing0.sys, that only three vendors are flagging as such. My suspicion is this driver is what is deploying the coin miner at system startup time.

The solution here as mentioned in a previous thread is for Eset to establish a web based threat submission and detection portal such as Kaspersky has: https://opentip.kaspersky.com/ .