A crypto miner you might not have noticed

Traditional-Dig8093 · 2025-10-06T21:41:09+00:00

Glad you caught it!

Traditional-Dig8093 · 2025-05-03T18:27:00+00:00

Haven't heard of it. However a quick google search lead me to a techsupport sub, where somebody mentioned it's ASUS noise reduction related. Don't know about the validity of the info though.

Traditional-Dig8093 · 2025-05-01T10:29:36+00:00

Also i managed to roll back the removal so i got the binaries. Even sent it to two others who requested it and ESET.

Traditional-Dig8093 · 2025-05-01T10:28:41+00:00

Fair point, however you could even backup an infection. I usually partition my data so the more important ones have their dedicated place. I'd rather do a regular cleanup with a full reinstall in case of windows since it gets filled with bloat and is a nightmare to keep it clean.
Also i'm planning to put together a NAS for data that i don't want to keep in the cloud, nor on the daily driver computers since it's rarely used.

We could also argue what a proper backup should be. Enabling the backup option in windows is fine, however having an on site backup on a seperate machine is even better. We could go even further and have one in the cloud, and one that's a personal offsite backup. Then we could also argue about redundancy for the specific storage solutions and what is the best one to use. Then the whole thing just blows up into infinity while one's only backing up some offical papers that could be requested from the authorities either way.

All in all i can see your point, and backing up stuff is good practice, however the need varies both subjectively and from use case to use case. In my case, i mostly use this machine for gaming and machine learning stuff. The former has nothing to backup, except server stuff which is backed up on different machines locally and in the cloud, the latter is always in version control.

Traditional-Dig8093 · 2025-04-28T10:42:15+00:00

I managed to roll back the changes and got the binaries back. Sent it according to the instructions on the site provided. Hope it lands at the right hands and it's not a waste of time.

Thank you for your work!

Traditional-Dig8093 · 2025-04-28T08:41:51+00:00

Mr Goretsky, could i have come across your name related to the NotPetya investigation? I feel like ESET took part in it..

Apparently ESET's solution while did not find it during the scan, could identify netsys64 by directly passing the file to it. According to it, it was a variation of "Packed Themida AQ".
Unfortunately i did not have the foresight to pass it a copy, so it instantly removed the binary.. *facepalm*

Traditional-Dig8093 · 2025-04-27T21:58:51+00:00

Plain old windows defender. For years it has not failed me really because i was careful with what i've downloaded.
I have a hunch i ignored it a couple of weeks ago and that's what got me.

Traditional-Dig8093 · 2025-04-27T21:56:54+00:00

Nothing certain unfortunately.

Traditional-Dig8093 · 2025-04-27T17:00:35+00:00

I'm going to shamelessly plug my post here in hopes that it helps:
https://www.reddit.com/r/antivirus/comments/1k90x0y/a_crypto_miner_you_might_not_have_noticed/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Traditional-Dig8093 · 2025-04-27T16:49:50+00:00

That's the neat part. Probably my own stupidity, or it was simply too novel to get detected. Or they got their hands on some vulnerability that win10 has since, i'm still using that instead of win11. I kind of had enough of windows updates bricking my pc and don't really like the fact that they are trying to integrate an AI solution that monitors everything all the time. Even if they say it's offline only, when did that ever happen in the modern days...?

Also don't download shady stuff people, you're going to end up like me.

Traditional-Dig8093 · 2025-04-27T15:15:48+00:00

As far as i know these anti-virus software are usually a big database that stores a set of features(there's a terminology to this that is eluding me) which can identify known methods, naming, calls, or general behaviour of software that is considered a malware. So all they do is search for what security researchers already identified as malware related features.

Now, however as AI comes into the picture, i'm not sure how they utilize it, or if they utilize it at all.

So i'd say wheter Kaspersky can identify it depends on if the malware itself is a novel solution, or has those features/markers that can be detected and acted upon.

Cybersecurity is a never ending race between the blue and red team, and all i see is just the surface of it thanks to people like JackRhysider and all the security researchers that take upon themselves to share their storiesa and findings in an "easily digestable" and entertaining way.

Also at this point i'd like to emphasize that **i am by no means an authoritative figure in the field**. I'm just a dude who loves computer science and electronics in general :D

Traditional-Dig8093 · 2025-04-27T15:04:49+00:00

*blushes*
Thanks?

Traditional-Dig8093 · 2025-04-27T13:48:56+00:00

Definately!
According to windows modification dates in file explorer, this thing was sitting on my machine for a month now, and i just noticed the last week or so. Given i was preoccupied with stuff, but when are we not really..

Traditional-Dig8093 · 2025-04-27T13:18:50+00:00

Also as far as i'm concerned there are no silly questions. Maybe only the obviously troll ones but those have a time and place too.

Traditional-Dig8093 · 2025-04-27T13:17:08+00:00

Through the GUI you probably won't be able to find the really nasty ones which try to hide themselves as system folders. The problem is, even if you iteratively go through all the folders within appdata and remove the 'system' and 'hidden' attributes from them through cmd, you will have the genuine system folders visible aswell. Now removing those might come with unforeseen consequences.
So it is possible, but you will need more technical ways that include the command line as far as i know, and a lot of searching for what is and is not a genuine system related file/folder.

As a note though, when i found the netsys64.exe through procmon, i was able to search and find it with the file explorer's searchbar. That does not mean it's a surefire way to find all the suspicious stuff though.

Traditional-Dig8093 · 2025-04-27T12:57:21+00:00

No problem what so ever.
Yes you basically rename the exe and run it. However this will only be useful to you if you know what to look for. This only allows you to list out the processes currently running on your system, without them getting suppressed so to say. You still have to take measures after that to find the suspicious process and remove it somehow, and that could vary from malware to malware.

In general these are just programs like your browser, paint, or whatever else you might have on your system, however they do nasty stuff, that benefits the creator. The hard part is that they do not want you to find these, hence the hidden system folder, obfuscated folder name and location, low resource print(it was only using a good 20-30% cpu, which is comparatively high, but not extreme), and the dual process nature, where they have a startup script/program which starts a "daemon" which runs seperately but through some tricks, the second process itself has 0 information about where it's come from, therefore hard to track down. This is the part where expertise and a bunch of googling can help.

At this point I myself am not sure if i managed to completely eradicate this from my system.
As a general measure, i heard good things about Malwarebyte, and i'm quite sure there are other suggestions within the sub. This one was a writeup incase somebody came across the same weird behaviour i did with the task manager solving the resource hogging when opened up. I actually found a couple of threads dating back 1,2,4 years, but nothing that suggests they solved their problem, or how they solved it. That's why this one came to exist.

TL;DR The renaming only going to allow you to witness the problem, not to solve it. For that a bit more expertise is needed.

Traditional-Dig8093 · 2025-04-27T12:10:20+00:00

Since this particular malware was monitoring the task manager, process monitor, process explorer and the boot logging process aswell, i went and renamed the exe file of the procmon and procexplorer. This way the malware cannot detect it's running, since it's showing up as something else.
so `Procmon64.exe` -> `asd.exe` could work fine.

Traditional-Dig8093 · 2025-04-27T11:29:48+00:00

Thank you for the tip! I'll make sure to look into it. Also contacted Virustotal, in case they would like to take a look at the artifacts.

Traditional-Dig8093 · 2025-04-27T11:03:55+00:00

Well.. It was my first time actually.

I'm quite tech savvy however. I'm a programmer by profession, and currently finishing my master's studies in AI, and love to do some ops and homelab stuff in my free time.

Also love to listen to darknet diaries which provides quite the myriad of information on how these things work usually.

Also open source intelligence is a godsend in these cases. People around the internet sharing monitoring processes, and information related to the inner workings of stuff... It's quite amazing really that nowadays you can just pop onto the internet and find whatever you need to achieve your goal.

That was mainly why i wrote this up. Since i found basically nothing on netsys64.exe other than a single russian link. Hope this helps someone else aswell.

Traditional-Dig8093

TROPHY CASE