Mostly ramblings of me poking at a cpu miner with a stick. Making of thread because someone might like it. Will sound a bit rambly because it is. Sorry
So my windows install has been running fairly hot and loud lately but whenever i end up open task manager it reveals that the cpu usage is at what would be normal for idle.
The dip is me opening task manager
Copying taskmgr to the desktop and renaming it tricks whatever is running into thinking its now open. This means i can see the true culprit
So time to rename a random binary. Lets go with rufus
And that works. So i now know whats its looking for when it comes to deciding when it should and shouldnt mine.
Lets poke at it with task manager some
Well. Its atleast nice enough to set itself to below normal priority.
hmmm. Something fishy is going on with notepad for sure
Was last modified on 2015 but was created on 5/30/2018. And no notepad is not signed by microsoft
A few notes so far.
- Killed the process and removed notepad with a bit of good timing (process respawns). Notepad no longer runs outside of the Windows folder. Putting something else called notepad does not cause it to be ran. Placing the OG notepad file back into the folder causes it to be immediately ran. So some kind of finger printing must be going on here.
- Dumping the strings of the file doesnt reveal anything of interest. Mostly random garbage it thinks is strings and some product info from microsoft.
- Notepad.exe process just simply dissapears whenever something is ran with the filename “taskmgr.exe”
Thats about the extent of my knowledge/willingness to poke at it. Ive uploaded both the binary and a process dump incase anyone else wants to take a look at it. Maybe @catsay would be interested =P
Im nuking my install from orbit so wont be able to provide much info to you (ok a backup from a fresh install but close enough)