explorer.exe high cpu usage - crypto mining suspect

Question

Hello, I'm running windows 11 (latest update). The last night I notice (by a "rainmeter skin" that check cpu and top process usage) that my cpu was using 100% on 2 cores (of 6 from my i5 9400f) when system is idle. As open task manager the explorer.exe usage go down "normal" (so 1-4% in idle).

Also, I saw in the running process two explorer.exe, when open the taskmanager "the one suspected" remain still there, but with no % usage, so I tried to kill that one and...guess... explorer doesn't restart, as usual when kill it, and "the issue" goes away...(so closing again task manager cpu, and explorer.exe, turn back in "normal function"). Of course if restart the pc the issue turn back (with that explorer.exe process that hog my cpu, till I kill it again..and stay closed, fortunately must say!)

Win. Defender, malwarebytes doesn't detect nothing.

Searching online I start to believe that is some crypto mining malware that "use" the original explorer.exe (because doesn't exist in all the system some "fake" explorer.exe) to "add malicious mining code". But not find any solution at the moment.

Now, I check "the odd" explorer.exe process with "Process Hacker 2" and found in a info-tab the following "launch parameters" on the original explorer.exe (so all my suspect now are a fact!). But, also with my good knowledge of systems, I can't find a solution here, from where or what is executing those launch parameters.

MALICIOUS LAUNCH PARAMETERS:

C:\WINDOWS\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=randomxmonero.eu-west.nicehash.com:3380 --user=3D8RFKShXUnEygTvd3ZMabw4ARhLu74KZq.Lakys --pass= --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --nicehash --cinit-stealth

I hope someone can help me, but OVERALL, I hope that Microsoft analyze this issue, that can affect to much others user, and update the Windows Defender as needed.

Thanks to everyone!

R.

EXPLORER.EXE AT RIGHT IS THE "ORIGINAL ONE" - AT LEFT IS "BAD ONE"

PROCESS COMMAND LINE OPENED

Answer 1

UPDATE (fixed!)

Got it!...<Removed> :P

By scanning the pc with "HitmanPro" I saw one of the "suggested files" somewhat odd: WR64.SYS. Researching for it online I readed that often is cause of these cryptomining scripts injection, so I decided to remove it. After restart the machine (asked by HitmanPro to delete it) the issue is gone finally!

Now my CPU in idle is 1% :))) and not more the "double explorer" with the malicous code.

Thanks for the attention with the hope that this will serve someone else ;)

Answer 2

Thanks for your post, this really helped me with a similar issue.

I found the same gamelauncher.exe, same WR64.sys and of course the malicious explorer.exe using my cpu, gpu and over 2Gb or RAM. I also found and removed the scheduled task that initiated it, but upon restarting my computer, I still had the same issue.

So I headed to this site The void miner (in chinese, translated) and installed sysmon to figure how my new explorer.exe was created.

It turns out I had another culprit, this time called "C:\WINDOWS\system32\Microsoft Malware Protection.exe". also launching via the scheduler and creating the same explorer.exe and WR64.sys... Once all this was removed, my computer is back to normal...

I hope this can help someone else...

Here is the sysmon thread leading to the creation of "explorer.exe":

C:\WINDOWS\explorer.exe   

	--cinit-find-x -B  

	--algo="rx/0"  

	--asm=auto  

	--cpu-memory-pool=1  

	--randomx-mode=auto  

	--randomx-no-rdmsr   

	--cuda-bfactor-hint=12  

	--cuda-bsleep-hint=100  

	--url=stratum.usa-west.nicehash.com:33380  

	--user=3D8RFKShXUnEygTvd3ZMabw4ARhLu74KZq.14  

	--pass=  

	--cpu-max-threads-hint=20  --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4="  --nicehash   

	--tls   

	--cinit-stealth  

	 

	 

Process Create: 

RuleName: - 

UtcTime: 2022-02-19 17:16:15.836 

ProcessGuid: {0b960279-25df-6211-2f02-000000001000} 

ProcessId: 2696 

Image: C:\Windows\explorer.exe 

FileVersion: 10.0.22000.527 (WinBuild.160101.0800) 

Description: Windows Explorer 

Product: Microsoft® Windows® Operating System 

Company: Microsoft Corporation 

OriginalFileName: EXPLORER.EXE 

CommandLine: C:\WINDOWS\explorer.exe  --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr  --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=stratum.usa-west.nicehash.com:33380 --user=3D8RFKShXUnEygTvd3ZMabw4ARhLu74KZq.14 --pass= --cpu-max-threads-hint=20  --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4="  --nicehash  --tls  --cinit-stealth  

CurrentDirectory: C:\WINDOWS\ 

User: 

LogonGuid: {0b960279-2548-6211-e26a-040000000000} 

LogonId: 0x46AE2 

TerminalSessionId: 1 

IntegrityLevel: High 

Hashes: SHA256=85A296F9F4B5F7A7C656A43585B1D8FDD9DFF84528CC7832C42EBA6488791301 

ParentProcessGuid: {0b960279-25df-6211-2402-000000001000} 

ParentProcessId: 2480 

ParentImage: C:\Users\Alex\AppData\Local\Temp\svchost64.exe 

ParentCommandLine: C:\Users\Alex\AppData\Local\Temp\svchost64.exe  "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

ParentUser:

Process Create: 

RuleName: - 

UtcTime: 2022-02-19 17:16:15.254 

ProcessGuid: {0b960279-25df-6211-2402-000000001000} 

ProcessId: 2480 

Image: C:\Users\Alex\AppData\Local\Temp\svchost64.exe 

FileVersion: 4.13.17134.1 (WinBuild 

Description: MpCmdRun 

Product: Microsoft Corporation 

Company: Microsoft® Windows® Operating System 

OriginalFileName: Microsoft Malware Protection-miner.dll 

CommandLine: C:\Users\Alex\AppData\Local\Temp\svchost64.exe  "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

CurrentDirectory: C:\Users\Alex\AppData\Local\Temp\ 

User: 

LogonGuid: {0b960279-2548-6211-e26a-040000000000} 

LogonId: 0x46AE2 

TerminalSessionId: 1 

IntegrityLevel: High 

Hashes: SHA256=7989E864A50D47B7F072BDF5E9060F7472ECBDCC1C69E8FF2947A1C5BC940FF6 

ParentProcessGuid: {0b960279-25df-6211-2202-000000001000} 

ParentProcessId: 18636 

ParentImage: C:\Windows\System32\cmd.exe 

ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Users\Alex\AppData\Local\Temp\svchost64.exe "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

ParentUser: 

Process Create: 

RuleName: - 

UtcTime: 2022-02-19 17:16:15.219 

ProcessGuid: {0b960279-25df-6211-2202-000000001000} 

ProcessId: 18636 

Image: C:\Windows\System32\cmd.exe 

FileVersion: 10.0.22000.1 (WinBuild.160101.0800) 

Description: Windows Command Processor 

Product: Microsoft® Windows® Operating System 

Company: Microsoft Corporation 

OriginalFileName: Cmd.Exe 

CommandLine: "C:\Windows\System32\cmd.exe" /c C:\Users\Alex\AppData\Local\Temp\svchost64.exe "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

CurrentDirectory: C:\Users\Alex\AppData\Local\Temp\ 

User: 

LogonGuid: {0b960279-2548-6211-e26a-040000000000} 

LogonId: 0x46AE2 

TerminalSessionId: 1 

IntegrityLevel: High 

Hashes: SHA256=F6C9532E1F4B66BE96F0F56BD7C3A3C1997EA8066B91BFCC984E41F072C347BA 

ParentProcessGuid: {0b960279-254a-6211-ab00-000000001000} 

ParentProcessId: 11480 

ParentImage: C:\Windows\System32\Microsoft Malware Protection.exe 

ParentCommandLine: "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

ParentUser: 

Process Create: 

RuleName: - 

UtcTime: 2022-02-19 17:13:46.383 

ProcessGuid: {0b960279-254a-6211-ab00-000000001000} 

ProcessId: 11480 

Image: C:\Windows\System32\Microsoft Malware Protection.exe 

FileVersion: - 

Description: - 

Product: - 

Company: - 

OriginalFileName: - 

CommandLine: "C:\WINDOWS\system32\Microsoft Malware Protection.exe" 

CurrentDirectory: C:\WINDOWS\system32\ 

User: 

LogonGuid: {0b960279-2548-6211-e26a-040000000000} 

LogonId: 0x46AE2 

TerminalSessionId: 1 

IntegrityLevel: High 

Hashes: SHA256=F6D376C19E515B741C78323CA2667EEFBD8DB95DF3BD85F350416E905A710ECB 

ParentProcessGuid: {0b960279-2544-6211-1800-000000001000} 

ParentProcessId: 1928 

ParentImage: C:\Windows\System32\svchost.exe 

ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule 

ParentUser: NT AUTHORITY\SYSTEM

Answer 3

I had the same issue.

Deleting WR64.SYS did not help for me, it just reappeared after restart.

After some investigation I did find a scheduled task called \diskparts that ran C:\Windows\system32\diskparts.exe at log on of any user.

Disabling this startup task appears to have stopped it. What is strange is that I cant find any exe file like that in that folder.

Here is a link to a zip containing the WR64.SYS file <Link Removed>

Answer 4

Hey hi, sorry for late reply... No unfortunately i have not any sample (was deleted as I restarted).

Answer 5

Do you know how the malware gets into your device?

Was it a website or application?

You shared an script, do you have a file or sample contaning this script?

Is it inside a file?

Do you know the location for the "Process Hacker 2"?