SilentCryptoMiner

• Changed administrator "Startup" installation procedure from using the Task Scheduler to instead install as a Service
• Changed the Administrator "Startup" installation from installing into "Program Files" to instead install into "ProgramData"
• Removed the "Run as System" option due to Services always running as System
• Added MSRT removal to the "Add Defender Exclusions" feature
• Changed the C++ compiler to one with less detections and better features
• Improved external compiler starting procedure to bypass compiler bugs when the build path contains spaces or unicode characters
• Modified the compilation process to incorporate "strip" for the removal of all unnecessary symbols and relocation data
• Adjusted compiler optimization level to mitigate some antivirus detections
• Enabled LTO during compilation to remove a lot of compiler caused detections from unused sections
• Changed the compiler from using temporary files to instead use pipes in order to work better with some irregular environments
• Changed the compilation procedure to add a randomized creation date and last write date to the built miner files
• Reverted miner builder .NET Framework version back to .NET 4.5 from .NET 4.8 for better compatibility
• Changed the miner injection technique to both reduce complexity and antivirus detections
• Optimized the process creation code
• Remade miner injection loop code and watchdog mutex check loop code to bypass a new targeted Windows Defender detection
• Greatly improved the SysWhispersU syscall generator
• Switched over from static syscalls to randomized dynamic syscalls
• Changed the "Run as Administrator" feature to elevate programmatically instead of through a manifest file to avoid manifest caused detections
• Added obfuscation to all constants and literals
• Added base64 encoding to embedded files in order to bypass detections caused by high entropy data
• Changed the embedded resource format from hex to decimal in order to reduce memory usage and time during compilation
• Changed the default "Startup" tabs "Entry Name" and "File Name" to a randomized string due to Windows Defender targeting the current default names
• Added new "Randomize" button next to the "Startup" tabs "Entry Name" and "File Name" options to allow for fast randomization
• Added new "Advanced Option" that allows automatic UPX packing of the embedded miner resource files
• Changed the "Disable Windows Update" and "Disable Sleep" functions to directly call the programs instead of calling them through a command line
• Changed default "Inject Into" program to conhost.exe instead of explorer.exe due to explorer.exe now triggering detections when running under System
• Added ".exe" extension exclusion to "Add Defender Exclusions" feature in order to potentially prevent some future general memory detections
• Removed XMR "GPU Mining" option due to problems with CUDA and it being worse than the already existing dedicated GPU miner
• Removed XMR "CPU Mining" option due to it having no reason to exist now that the "GPU Mining" option is gone
• Rewrote XOR cipher function to bypass XOR obfuscation detection
• Remade the "Block Websites" feature code to bypass some detections caused by looping
• Greatly improved the overall code to reduce wasteful calls, handles and possible code signatures
• Changed "Start Delay" to only apply before installation in order to avoid timeouts
• Updated the uninstaller to properly remove all files
• Updated the miners

• Added OpenCL ICD loader statically into the GPU miner because some systems local loaders do not seem to work
• Added automatic CPU mining core restart when a prolonged period of zero hashrate is detected
• Fixed administrator "Startup" trigger to be "on login" when "Run as System" is disabled
• Reduced some antivirus detections by modifying the miner compilation command
• Changed some miner builder compiler commands to be absolute instead of relative
• Added "Assembly" tab "Version" number sanitization
• Fixed unnecessary log warning during compilation
• Removed many old unused debug strings inside the miners

• Added the KawPow (kawpow) algorithm directly into the GPU miner
• Added new FiroPow (firopow) algorithm
• Added new ProgPow (progpow) algorithm
• Added new ProgPowZ (progpowz) algorithm
• Added new EvrProgPow (evrprogpow) algorithm
• Implemented KawPow, FiroPow, EvrProgPow, ProgPow and ProgPowZ using only OpenCL for both Nvidia and AMD to bypass large CUDA NVRTC library requirement
• Rewrote most of the GPU miner to add support for multiple algorithm families and to greatly improve stability and reliability
• Added Sero-Proxy protocol to be able to mine Sero (ProgPow)
• Removed KawPow (kawpow) algorithm from the XMR miner and also the large CUDA NVRTC library to make sure no one accidentally uses it
• Re-added the Panthera (rx/xla) algorithm
• Added Zephyr coin (rx/0) solo mining support
• Moved the XMR miner "GPU Mining" option into the "Advanced" tab to discourage unprofitable XMR GPU mining
• Moved the "Use Rootkit" option into the "Advanced Options" for better clarity regarding its complexity
• Changed Task Scheduler Task creation from Powershell to only using the command line with a temporary XML file
• Changed MSR driver path from using a static library path to a dynamically generated path
• Modified embedded file encryption and decryption to reduce heuristic detections
• Changed the code compiler build to different one to greatly reduce the compiler-caused antivirus detections
• Improved the external compiler execution commands by better forcing absolute paths in commands
• Added a mutex into the miner installer/injector to make it checkable by the watchdog
• Reduced the watchdog checking interval for better persistance
• Removed unused helper functions
• Rewrote uninstallers miner killer function to work with Process IDs above the ushort limit
• Changed unicode string initialization from a macro to a function to reduce the final code size
• Changed string formatting from using the built-in Windows API to instead use a much smaller custom function
• Moved web panel reporting to happen before CPU idle usage change in order to help make the hashrate look less confusing
• Improved RandomX database regeneration speed when leaving "Stealth" on pools with infrequent new jobs
• Fixed weird default "Stealth on Fullscreen" configuration value when "Run as System" was disabled
• Fixed possible null terminator string length counting problem inside the GPU checking function
• Reduced unnecessary recursive directory creation function stack size
• Changed miners execution state to no longer always semi-block sleep mode on some computers
• Restructured the algorithm selection list to be easier to use
• Added semi-CLI functionality for building miners through the command line
• Updated the rootkit to a new version

• Changed miner settings from being passed through the command line to instead be passed directly through the PEB
• Changed XMR miner to clear RAM during "Stealth" when possible
• Changed PEB calls to be more obfuscated due to new detections
• Changed miner to read the current executable path for installation directly from the PEB instead of a Windows API call
• Changed miner and watchdog to read the environmental variables directly by traversing the PEB
• Included rootkit directly inside the miner instead of using the rootkit installer to avoid the new AMSI detections and for more flexibility
• Changed rootkit to now run outside of the "Startup" installation flow to allow for it to run when "Startup" is disabled
• Moved "Install Rootkit" out from "Advanced Options" and renamed it to "Use Rootkit (Hide Miner)" since the rootkit should now be stable
• Updated compiler command options to reduce detections
• Added system call registry access functions to allow registry manipulation without using the Windows API or CMD
• Changed GPU checking to directly read the registry instead of using a WMI command with a file buffer
• Added signature cloning tab where you can clone the digital certificate of another program into the miner
• Moved administrator checks from powershell directly into the C++ code
• Added Task Scheduler "Startup" entry checking into the Watchdog
• Merged obfuscate.h library and obfuscatew.h library into a custom-made unified version called obfuscateu.h
• Added a custom-made SysWhispersU direct system call generator and removed the previous SysWhispers2
• Modified SysWhispersU and obfuscateu.h to use different encryptions in order to avoid XOR detections
• Added simple obfuscation to well-known SysWhispers constants and offsets to avoid static detections
• Readded explorer.exe as injection option
• Made explorer.exe the default injection option again
• Updated uninstaller to instead find the watchdog and miner processes by enumerating system mutex handles to find the owner process
• Added "Disable Windows Update" rollback into the uninstaller to allow the uninstaller to fix Windows Update during uninstallation
• Updated checker to instead check if the mutex is active to ascertain whether the miner and watchdog is running or not
• Merged many C++ files together to be able to store them unzipped in the project in order to make all code changes directly visible in commits
• Optimized and shortened many functions such as the previously verbose process creation function
• Increased delete pending injection temporary file name length to further decrease collision chance
• Fixed possible parent spoofing failure if required buffer size changes between system calls
• Change installation to call reg.exe and schtasks.exe directly when possible instead of through cmd.exe
• Fixed "Startup" installation bug on some systems when "Entry Name" contained a space
• Fixed support for Unicode characters inside the "Assembly" settings
• Updated both miners
• Added Portuguese (Brazil) translation (MatheusOliveira-dev)

03-04-2023 Hotfix:

• Fixed possible null terminator string length counting problem inside the GPU checking function

• Changed process creation from undocumented API calls to direct system calls
• Added process parent spoofing with token impersonation when creating processes
• Created custom process parameter creation to avoid API calls
• Added system call process enumeration for parent spoofing
• Updated SysWhispers2 with custom process creation definitions and more
• Modified SysWhispers2 assembler instructions to bypass new detection
• Changed all indirect API calls to direct system calls
• Changed compiler binaries to reduce some compiler caused detections
• Fixed known XMR "GPU Mining" compilation error with new compiler
• Fixed XMR GPU library location checking on some systems
• Changed GPU memory checking from CUDA API to NVML for much better accuracy
• Updated ethminer CUDA and OpenCL mining implementations
• Updated ethash, etchash and ubqhash algorithm implementation
• Added improved CUDA and OpenCL automatic restart on error or crash
• Improved GPU limit sleep time accuracy for powerful GPU cards
• Removed ETH from the preset list due to the ETH merge from PoW to PoS
• Added EthereumPoW (ETHW) fork of ETH to the preset list
• Rewrote website blocking to avoid using string to reduce dependencies
• Updated rootkit and fixed some rootkit bugs
• Fixed many miscellaneous bugs
• Updated xmrig

• Added GPU check support for some Radeon RX GPUs
• Added more API function bypasses for lower possible future detections
• Changed compiler paths from relative to absolute paths

• Fixed GPU checking when running as the System user
• Future-proofed some possible future detections

• Rewrote entire miner and watchdog in C++ to replace the C# miner and watchdog
• Rewrote much of the builder for the rewritten miner and watchdog
• Added custom C++ compiler package
• Added custom compiled version of SysWhispers2 to randomize syscalls seed on every build
• Changed default injection target to conhost.exe
• Removed injection target "explorer.exe" due to new protections and inconvenience
• Added new injection target "dwm.exe"
• Removed now unnecessary options "Shellcode Loader", "In-memory watchdog" and "Do built-in obfuscations" because of the rewrite
• Removed now unnecessary DLL modules because of direct implementations
• Temporarily removed the "DEBUG" and "Overwrite old miners" options
• Updated both miners
• Added Spanish translation (Xeneht)
• Added Russian translation (BITIW)

There might not be many entries in the changelog but that is mainly because everything was rewritten so it's hard to write down specific changes. There's also an issue on some computers to compile with XMR "GPU Mining" enabled which I'm aware of, it's due to the large filesize of the XMR CUDA libraries and will be "fixed" in a future version"

• Fixed mysterious reported ETH stratum disconnection
• Further improved ETH miner web panel status reporting from feedback
• Reduced minimum minor CUDA version for more driver compatibility
• Reduced ETH VRAM CUDA overhead slightly
• Reduced critical process protection delay
• Fixed missing builder admin shield images

Sorry for the quick update, thought it was necessary instead of waiting until the next release. Mostly due to the ETH stratum disconnection that someone has reported was happening for them. Seems to have been fixed automatically after rebuilding the binary a few times.

• Bypassed new Windows Defender exclusion detection and removal
• Added new improved process hollowing module ProcessInject which replaces the old process hollowing
• Added new "Critical Processes (BSoD)" option to mark the miners and watchdog as critical processes, thus causing a BSoD when killed
• Added new in-memory native DLL loader for the new modules, ProcessInject and ProcessProtect
• Greatly improved dynamic DAG/VRAM management, including better regeneration when enough VRAM becomes available to mine
• Changed startup flow to be more dynamic and persistent
• Improved the watchdogs persistence
• Greatly improved ETH miners web panel status reporting logic
• Improved ETH miners failover connection logic and default timing parameters
• Removed AstroBWT algorithms due to constant forking and instabilities
• Updated XMR miner
• Added Polish translation (Werlrlivx)

• Added language localizer to allow translations of all controls through XML
• Added Swedish translation
• Changed "Save Path" to show "Program Files" for clarity when "Run as System" and "Run as Administrator" are both enabled
• Moved AMSI bypass from the RunPE module into the miner to bypass Assembly.Load detections
• Obfuscated all remaining strings inside all files
• Remade manifest to reduce detections
• Added new advanced option to disable built-in obfuscations
• Updated rootkit to reduce detections and improve compatibility and reliability
• Improved process hollowing implementation

• Removed Panthera (Panthera) algorithm due to reported collateral issues
• Updated ETH miner CUDA and OpenCL implementations
• Added ETH miner OpenCL fallback for Nvidia cards if CUDA is unavailable
• Fixed connections to some ghostrider pools
• Fixed ETH first web panel configuration and first "Remote Configuration" pool switching
• Fixed Clover platform support
• Fixed non-intended administrator permission request during normal user first installation start
• Fixed brief powershell window popup on administrator installation startups with "Run as System" disabled

Hotfix 08-06-2022:

• Added bypass for new RunPE AMSI detection

Hotfix 15-06-2022:

• Fixed AMSI bypass for some versions of the .NET framework

• Added new Ubqhash (ubqhash) algorithm
• Added new CryptoNight-GPU (cn/gpu) algorithm
• Added new Panthera (panthera) algorithm
• Added new AstroBWT V2 (astrobwt/v2) algorithm
• Added new option "Stealth on Fullscreen" to pause the miner when Windows reports a fullscreen program to be open on the user running the miner
• Added executable name to the web panel "Active Window" reporting
• Added executable name reporting of the found "Stealth Targets" during "Stealth" to the web panel
• Added UTF8 encoding to GPU and CPU name web panel reporting
• Added C# shellcode injector for in-memory watchdog injection without an intermediary "Shellcode Loader"
• Changed Task Scheduler task creation from schtasks command to powershell to greatly increase customizability of the task
• Changed Task Scheduler task conditions and settings to the most optimal for the miner
• Changed Task Scheduler task to start at system startup instead of any user login when "Run as System" is enabled
• Fixed Task Scheduler task on some systems when install path contains spaces
• Replaced many commands with obfuscated powershell versions
• Reworked miner installation code and methods
• Reworked miner checking loops to ensure correct web panel status reporting and better performance
• Added support for reporting to the web panel when running at least two miners of the same miner type
• Improved watchdog miner restoration
• Updated the rootkit

• Changed miner to install into Program Files if installed with "Run as System" enabled
• Changed miner to instead start from the Task Scheduler instead of CMD immediately after install if running as administrator
• Changed Icon preview to reload after loading a save
• Reworked "Remote Configuration" and web panel API calls for better performance, flexibility and less overhead
• Changed miner to immediately start reporting to the web panel on start
• Added new "Starting" miner status when first reporting to the web panel
• Added new miner version reporting to the web panel
• Added new currently active window reporting to the web panel
• Added new miner run time reporting to the web panel
• Inverted some advanced options for better clarity

• Changed ETH miner to force desired CUDA settings, can increase hashrate on newer drivers/GPUs
• Changed ETH miner to not mine on integrated Intel GPUs, meaning CPUs with a GPU in them since they are not profitable and can cause lag
• Reworked manifest system to reduce overall detections
• Reduced C# detections greatly, especially helpful for those with "Shellcode Loader" disabled
• Changed "Entry Name" check to reallow backslashes for Task Scheduler subsections
• Improved "Disable Windows Update" function with better persistence and effectiveness
• Added advanced option to disable the miner from running after install so that it will only run on startup

• Added option to disable Windows Update which stops updates from being found and installed
• Changed Watchdog to now run only in memory with no file dropped
• Added new Advanced Options form to make space for more options
• Added advanced option to use old Watchdog behaviour and start as a dropped file instead of only in memory
• Added advanced option to not overwrite old installed miners if desired
• Changed HTTP library to always follow redirects
• Decreased miner stealth and idle check loop timer for faster checks
• Moved process hollowing code back into DLL
• Added custom user level manifest
• Reduced some antivirus detections, mainly in C# code
• Cleaned up builder and miner code
• Fixed uninstaller
• Removed duplicate disable sleep command
• Updated miner

Update was too big to be a minor update (2.2.2) so it became a major update (2.3.0)

Hotfix 14-04-2022:

• Changed ETH miner to force desired CUDA settings, increase hashrate on newer drivers/GPUs

• Added morphing to Windows Defender exclusion command to avoid static detection
• Added option to run/install the miner as System instead of always doing so by default
• Changed rootkit target program from nslookup.exe to dialer.exe and modified rootkit workflow
• Fixed XMR difficulty negotiation
• Fixed XMR worker name variable replacement
• Fixed XMR CUDA library locator for unicode characters
• Fixed missing builder events

• Added custom system-wide idle detection that replaces the previous dedicated Windows API idle detection, this allows the miner to be run as "System"
• Changed miner to be installed with the "System" user when run as administrator which means that it will now run when the computer is started with any user
• Added field to customize the entry name displayed in the startup registry and Task Scheduler
• Added option to automatically delete the original miner file after installation finishes
• Added option to disable sleep and hibernation on the computer
• Added option to block websites/domains from being able to be accessed by using the hosts file
• Fixed computer name and username convertions when containing non-ASCII characters
• Changed default library and installation locations to avoid path access restrictions by some programs
• Fixed XMR miner GPU CUDA libraries
• Fixed missing Watchdog Loader obfuscation step when using "Pause for Obfuscation"
• Improved GhostRider algorithm implementation
• Changed ETH miner idle sleeping
• Fixed minor builder bugs
• Cleaned up form elements
• Added icon file error checking
• Updated compilers
• Updated miners

• Added the Ghost Rider algorithm, mainly used for the coin Raptoreum
• Added JSON generator inside builder for easier "Remote Configuration" and web panel configuration creation
• Added rootkit helper signatures to relevant files to ensure that files and processes are not hidden from the miner processes
• Added new "Out of free VRAM" status for the web panel if no GPU has enough current free VRAM to mine the selected coin
• Added "remote-config" and "api-endpoint" configuration options for the "Remote Configuration" and web panel configurations
• Changed save/load form serialization to also save checkbox and toggle text states
• Changed default "Startup" "Filename" due to certain anticheats blocking default "Startup" folder access
• Changed "Shellcode Loader" code and overall flow
• Improved rootkit stability and stealth
• Cleaned up messy and unclear form control names, breaks old save compatibility

• Removed Hide File option due to it restricting the file from being written to, thus enabling it to cause unwanted behaviour and bugs
• Fixed possible bug where the random encryption keys could be generated with illegal characters
• Fixed builder bug where it didn't clear the miner set for the Watchdog between builds
• Fixed Monero icon