home

persmodulecpu.exe

The application persmodulecpu.exe has been detected as a potentially unwanted program by 33 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address fr.stratum.theblocksfactory.com on port 3333.
MD5:
bf50189c9412b033090e4f2d5cdc974e

SHA-1:
ae1a6eea286af097626b15b28ec800f658487dea

SHA-256:
23fc10f184573bff8e3a218d59a89a24f1cfa0289743fbd47d5bbd8251af2d01

Scanner detections:
33 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
7/10/2025 3:53:51 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.162151
550

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.07.29

Avira AntiVirus
TR/Rogue.11672419.3
8.3.1.6

Arcabit
Trojan.Graftor.D27967
1.0.0.425

avast!
Win32:BitCoinMiner-FA [PUP]
2014.9-150803

AVG
BitCoin
2016.0.3028

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.1583

Bitdefender
Gen:Variant.Graftor.162151
1.0.20.1075

Comodo Security
UnclassifiedMalware
22883

Dr.Web
Tool.BtcMine.480
9.0.1.0215

Emsisoft Anti-Malware
Gen:Variant.Graftor.162151
8.15.08.03.03

ESET NOD32
Win32/BitCoinMiner.CK potentially unsafe (variant)
9.12008

Fortinet FortiGate
Riskware/BitCoinMiner
8/3/2015

F-Secure
Gen:Variant.Graftor.162151
11.2015-03-08_2

G Data
Gen:Variant.Graftor.162151
15.8.25

herdProtect (fuzzy)
variant of indexer.exe
2015.9.8.16

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.186.14174

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1637

Malwarebytes
PUP.Optional.BitcoinMiner
v2015.08.03.03

McAfee
RDN/Generic PUP.x
5600.6684

MicroWorld eScan
Gen:Variant.Graftor.162151
16.0.0.645

NANO AntiVirus
Riskware.Win32.BitCoinMiner.dfavcb
0.30.24.2668

Norman
BitCoinMiner.STR
11.20150908

Panda Antivirus
Trj/Chgt.G
15.08.03.03

Quick Heal
RiskTool.BitCoinMiner.r8 (Not a Virus)
8.15.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.18E4B18A!417640842
23.00.65.15801

Sophos
Generic PUA KO
4.98

Trend Micro House Call
TROJ_GEN.R08NB01K314
7.2.251

Trend Micro
TROJ_GEN.R0C1C0EFA15
10.465.03

VIPRE Antivirus
Trojan.Win32.Generic
42414

Zillya! Antivirus
Backdoor.PePatch.Win32.51965
2.0.0.1995

File size:
541 KB (553,984 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\microsoft\internet\stalin\persmodulecpu.exe

File PE Metadata
Compilation timestamp:
8/14/2014 9:05:38 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
12288:PokEV/gNoFsGQWxd5yaSkyJep+QdGceBDkL:PoJ/gNoFsGQm5yWtp+QgcWW

Entry address:
0x1280

Entry point:
83, EC, 1C, C7, 04, 24, 01, 00, 00, 00, FF, 15, BC, 94, 48, 00, E8, 6B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, 83, EC, 1C, C7, 04, 24, 02, 00, 00, 00, FF, 15, BC, 94, 48, 00, E8, 4B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, A1, 0C, 95, 48, 00, FF, E0, 89, F6, 8D, BC, 27, 00, 00, 00, 00, A1, E8, 94, 48, 00, FF, E0, 90, 90, 90, 90, 90, 90, 90, 90, 90, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, E0, 46, 00, E8, BA, A6, 06, 00, 52, 85, C0, 74, 65, C7, 44, 24, 04, 13, E0, 46, 00, 89...
 
[+]

Code size:
431.5 KB (441,856 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to fr.stratum.theblocksfactory.com  (188.165.223.132:3333)

Remove persmodulecpu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.