AlienVault analyzed a Christmas Eve 2017 Windows installer that deployed software likely to be xmrig for Monero mining. The installer copied intelservice.exe and updater.exe into C:\Windows\Sys64, launched a randomly named executable from C:\SoftwaresInstall, and passed mining arguments containing the wallet address 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS. Its configured mining server, barjuok.ryongnamsan.edu.kp, resolved to a Kim Il Sung University domain, but AlienVault noted that the hostname no longer resolved and did not attribute the installer to Lazarus. The report places the sample in the broader context of North Korean cryptocurrency interest and prior reporting on Bluenoroff and Andariel Monero mining, while emphasizing that this installer’s amateur Visual Basic implementation makes a Lazarus link unlikely.