M
Critical RiskWindowsminerd.exeEXECUTABLEminerd.exe - CPU Cryptocurrency Miner (Cryptominer) [2026]
minerd.exe is a CPU-based cryptocurrency miner. Almost always indicates unauthorized cryptomining activity when found on enterprise systems. High-priority indicator of compromise.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Critical | | Prevalence | Common in attacks | | Risk Score | 95/100 | minerd.exe is a cryptocurrency miner that is almost never legitimate in enterprise environments.
Overview
What is minerd.exe?
minerd.exe is a CPU-based cryptocurrency mining application, part of the cpuminer project. It mines cryptocurrencies like Monero, Bitcoin, and others using CPU resources.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | minerd.exe |
| Type | Cryptocurrency Miner |
| Category | Cryptojacking Tool |
| Typical Size | 500KB - 2MB |
| Origin | Open-source cpuminer project |
Technical Details
| Property | Description |
|---|---|
| Process Type | User Application |
| CPU Usage | Very High (near 100%) |
| Network Activity | Mining pool connections |
| Legitimate Use | Personal mining (rare) |
minerd.exe is the classic CPU miner and its presence on enterprise systems is almost always malicious.
Normal Behavior
Normal Behavior
When Legitimately Used
# Legitimate mining (rare in enterprise)
minerd.exe -a scrypt -o stratum+tcp://pool.example.com:3333 -u wallet -p x
# Common arguments
-a [algorithm] Algorithm (sha256d, scrypt, etc.)
-o [url] Mining pool URL
-u [user] Pool username/wallet
-t [threads] Number of CPU threads
Expected Characteristics (If Legitimate)
| Aspect | Expected Behavior |
|---|---|
| User Context | Deliberate user installation |
| CPU Usage | 90-100% (by design) |
| Network | Mining pool connections |
| Location | User-controlled directory |
Important: Legitimate use in enterprise environments is extremely rare.
Common Locations
C:\Users\<user>\Downloads\minerd.exeC:\Temp\minerd.exeC:\ProgramData\minerd.exeC:\Windows\Temp\minerd.exeSuspicious Indicators
Suspicious Indicators
Red Flags (Almost Always Malicious)
| Indicator | Concern Level | Description |
|---|---|---|
| Presence on system | Critical | Almost always unauthorized |
| Enterprise environment | Critical | Never legitimate in corp |
| Hidden location | Critical | Attempting to evade detection |
| Running as service | Critical | Persistence mechanism |
| Renamed binary | Critical | Evasion attempt |
Cryptojacking Indicators
Cryptojacking Signs:
- High sustained CPU usage
- Fan noise/system slowdown
- Network to mining pools
- Unknown scheduled tasks
- Process with mining arguments
Common Mining Pools
| Pool Domain | Cryptocurrency |
|---|---|
| pool.minexmr.com | Monero |
| xmrpool.eu | Monero |
| pool.supportxmr.com | Monero |
| stratum.* | Various |
Abuse Techniques
Abuse Techniques
Cryptojacking Attack
Typical Attack Flow:
1. Initial compromise (phishing, exploit)
2. Download minerd.exe
3. Configure for attacker wallet
4. Establish persistence
5. Mine cryptocurrency continuously
6. Resources stolen from victim
Deployment Methods
| Method | Implementation |
|---|---|
| Dropper | Malware downloads miner |
| Exploit Kit | Auto-downloads after exploit |
| Supply Chain | Bundled with compromised software |
| Insider | Intentional installation |
Evasion Techniques
:: Common evasion methods
rename minerd.exe svchost.exe
minerd.exe --cpu-priority 1 (Lower priority to avoid detection)
taskkill when user active, restart when idle
Persistence Methods
Persistence Mechanisms:
- Scheduled task
- Registry Run key
- Service installation
- Startup folder
- WMI subscription
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="Cryptominer Detection" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">minerd</Image>
<CommandLine condition="contains">stratum+tcp</CommandLine>
<CommandLine condition="contains">-o pool</CommandLine>
</ProcessCreate>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">3333</DestinationPort>
<DestinationPort condition="is">14444</DestinationPort>
</NetworkConnect>
</RuleGroup>
Sigma Rule
title: Cryptocurrency Miner Execution
status: stable
logsource:
product: windows
category: process_creation
detection:
selection_name:
Image|endswith:
- '\minerd.exe'
- '\xmrig.exe'
- '\cpuminer.exe'
selection_args:
CommandLine|contains:
- 'stratum+tcp'
- '-o pool'
- '--donate-level'
- '-a cryptonight'
condition: selection_name or selection_args
falsepositives:
- Legitimate mining (verify with IT)
level: critical
KQL Query
// Detect cryptominer processes
DeviceProcessEvents
| where FileName in~ ("minerd.exe", "xmrig.exe", "cpuminer.exe") or
ProcessCommandLine has_any ("stratum+tcp", "pool.", "-a cryptonight", "--donate-level")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
// Mining pool connections
DeviceNetworkEvents
| where RemotePort in (3333, 14444, 45560) or
RemoteUrl has_any ("pool.", "xmr.", "mining.")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
Remediation Steps
Remediation Steps
Immediate Actions
# Kill miner processes
Get-Process | Where-Object { $_.Name -match "minerd|xmrig|miner" } | Stop-Process -Force
# Find and remove
Get-ChildItem -Path C:\ -Recurse -Filter "minerd.exe" -ErrorAction SilentlyContinue | Remove-Item -Force
# Check scheduled tasks
Get-ScheduledTask | Where-Object { $_.Actions.Execute -match "miner|stratum" }
# Check services
Get-Service | Where-Object { $_.PathName -match "miner" }
Remove Persistence
# Remove scheduled tasks
Get-ScheduledTask | Where-Object { $_.Actions.Execute -match "miner" } | Unregister-ScheduledTask -Confirm:$false
# Check Run keys
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
Where-Object { $_ -match "miner" }
# Remove services
Get-Service | Where-Object { $_.PathName -match "miner" } | Stop-Service
sc.exe delete "MinerService"
Full Remediation
| Step | Action |
|---|---|
| 1 | Kill all miner processes |
| 2 | Remove miner files |
| 3 | Remove persistence |
| 4 | Block mining pools |
| 5 | Investigate initial access |
| 6 | Full malware scan |
Investigation Checklist
Investigation Checklist
Initial Triage
- Confirm minerd.exe presence
- Identify all miner processes
- Check CPU usage patterns
- Network connections to pools?
Scope Assessment
- How many systems affected?
- When did mining start?
- What is the wallet address?
- How much was mined?
Persistence Check
- Scheduled tasks?
- Registry Run keys?
- Services created?
- Startup folder entries?
Root Cause
- Initial access vector?
- Related malware?
- User responsible?
- Vulnerability exploited?
Evidence Collection
# Collect evidence
Get-Process | Where-Object { $_.CPU -gt 80 } | Export-Csv miners.csv
netstat -an | findstr ":3333 :14444" > connections.txt
Get-ScheduledTask | Export-Csv tasks.csv