See: https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/edit#gid=0
Attackers used a so-called coinhive-script
Troy Mursch detected this script: https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/
Is this being blocked by avast?
polonus