Win64/CoinMiner.PR---6C5F504C7E35D29D0883C041B8F026DD3AEAB464

[baran 0]

hi

i have a problem ,

eset detects the infection on the memory and erases it, and then the reset warning comes,

But the pollution still exists and has not been eliminated

 

 

[Marcos 5,070]

Unfortunately you didn't select a SysInspector log to be collected. Please provide fresh ELC logs collected using the Threat detection template in ELC.

[baran 0]

here you are.

thank you for support.

eea_logs.zip

[Marcos 5,070]

ELC was not run as an administrator, hence an ESI log was not generated:

WARNING: Action skipped, because not running under administrator account.

[baran 0]

hi marcos

please help me ,

My servers and Clients resets regularly,its so bad 

esetlog.zip esetlogg.zip

[Marcos 5,070]

1, Make sure to enable LiveGrid and possibly also SSL filtering
2, Does the detection occur if you disconnect the server from LAN and reboot it?
3, Provide a Procmon boot log (send a download link via a personal message).

[itman 1,659]

Here's a VirusTotal link for Win64/CoinMiner.PR:https://www.virustotal.com/gui/file/a3b5713be5b0106513e293ffa57e81430c04ad53033dff2fc2a256abff188df5/details .

There's no way of knowing if this current infection is deploying using the same methods. In the posted VT link, it appears the coin miner was using PowerShell to start the coin miner. Also, it appears the coin miner is one of the following dropped execuable files: