Subject: My ANN thread keeps getting deleted — looking for guidance

[oxynaz]

My announcement thread for C64 Chain (an altcoin) in the Announcements (Altcoins) board has been deleted multiple times over the past week. Each time, I receive no notification or PM explaining which rule was violated.

I have reviewed the forum rules and guidelines and I believe the thread complies with them:
- Posted in Announcements (Altcoins)
- Written in English
- No referral links, no giveaways, no link shorteners
- Substantial content (specifications, technical details, source code links, FAQ)
- No duplicate posting across boards
- Only bumped once per 24 hours

I contacted a moderator who told me it was not them and suggested it might be a global moderator.

Could a staff member please let me know what rule I am breaking so I can correct it? I am happy to modify the thread to comply with the rules.

Thank you.

[logfiles]

It was probably because they suspected it to contain links to malicious files?

I found this report by @$crypto$ - https://bitcointalk.org/index.php?topic=5182222.msg66417277#msg66417277

If this is the case, then you are a bit lucky that your account has not been permanently banned. They usually ban accounts that are reported in that thread.

[FinneysTrueVision]

It was probably because they suspected it to contain links to malicious files?

I found this report by @$crypto$ - https://bitcointalk.org/index.php?topic=5182222.msg66417277#msg66417277

If this is the case, then you are a bit lucky that your account has not been permanently banned. They usually ban accounts that are reported in that thread.

Is it actually malware though? Only a small set of vendors on VirusTotal flagged it as malicious. He is promoting mining software for a fork of Monero. Even legitimate Monero software like Monero GUI get flagged by antivirus programs sometimes, especially older versions. This is what getmonero.org has to say:

Why is my antivirus/firewall flagging the Monero software i just downloaded as malware?

After you have downloaded the Monero software (GUI and CLI alike), your antivirus or firewall may flag the executables as malware. Some antiviruses only warn you about the possible menace, others go as far as silently removing your downloaded wallet / daemon. This likely happens because of the integrated miner, which is used for mining and for block verification. Some antiviruses may erroneously consider the miner as dangerous software and act to remove it.

The problem is being discussed and solutions are being elaborated. In the meantime, if you get a warning from your antivirus, make sure the software you downloaded is legitimate (see the guides linked below), then add an exception for it in your antivirus, so that it won't get removed or blocked. If you need assistance, feel free to contact the community.

[oxynaz]

Thank you for your reply, now it s clear, I have removed the premcompiled binaries from github, and will repost now.

The miner binary was flagged as malware. (false positive).

Best regards,

[philipma1957]

Thank you for your reply, now it s clear, I have removed the premcompiled binaries from github, and will repost now.

The miner binary was flagged as malware. (false positive).

Best regards,

I gave you a merit as you followed up.

Good luck with your software.

[albon]

I gave you a merit as you followed up.

Good luck with your software.

I decided to run a technical analysis on the C64 Chain Wallet within Windows Sandbox. I’ll just lay out the facts and the screenshots here, I'll let you guys be the final judge on this one.


As soon as I launched the "wallet, here is what I observed in Task Manager and System Informer:

As you can clearly see in these screenshots, the main process spawned sub-processes, and the Power Usage the second you launch it spiked to "Very High". c64chaind.exe alone consumed over 579 MB of RAM before I even touched a single button.






I caught the execution chain dropping files into into the system's Temp directory:



Another red flag, navigating to AppData\Local\Temp\3BTj5V0J4oKLCLRlexUwdotjTNQ\resources\bin\win, I discovered that the program is designed to run entirely from these temporary folders and delete itself upon closing to erase all evidence of its activity.



Here is the the dropped executables and their VirusTotal analysis results:

c64chaind.exe: -> [VirusTotal Result - 39/71 detections]



c64chain-wallet-rpc.exe: -> [VirusTotal Result - 36/68 detections]



c64chain-wallet-rpc.txt: (Configuration file)



c64miner.exe: (Hidden Miner) -> [VirusTotal Result - 46/71 detections, identifying as XMRig]

Is it actually malware though? Only a small set of vendors on VirusTotal flagged it as malicious. He is promoting mining software for a fork of Monero. Even legitimate Monero software like Monero GUI get flagged by antivirus programs sometimes, especially older versions. This is what getmonero.org has to say:

Note: As with most cryptocurrency miners, antivirus software may flag compiled binaries as false positives. This is common to all mining software based on RandomX/XMRig and is not specific to this project. Users are encouraged to review the source code and build from source.

The red flags are hitting us in the face here.. A legit wallet does not silently drop hidden executables into Temp folders and peg the CPU at 100 % the second you open it without asking for permission. It's a Cryptojacking and not a false positive. That’s not a mining feature either it's a hidden backdoored miner.

No need for a separate miner — just open your wallet, go to the Mining tab, enter your wallet address and hit Start.

This is not true. It's pretty obvious... that c64miner.exe initiates high-load mining activity immediately upon launching the wallet, before the user even interacts with the UI.
------------------------------
NOTE: Stay far away from this. It's a blatant malware/miner case and I've got the proof above.

[oxynaz]

Thank you for taking the time to do a technical analysis. I will address each point factually.
1. Files dropped into %AppData%\Local\Temp
This is standard behavior for every Electron-based application. Electron extracts its bundled resources into a temporary directory at launch. This is not specific to C64 Chain — you will observe identical behavior with VS Code, Discord, Exodus, and virtually every other Electron app. It is not "hiding" anything.
2. Files deleted on close
Again, standard Electron cleanup. The app removes its extracted temp files when it exits. This is documented Electron behavior, not evidence of anti-forensic activity.
3. c64chaind.exe — 579 MB RAM, 39/71 VirusTotal detections
c64chaind is a full CryptoNote node daemon. It loads the entire blockchain into memory on startup. 500+ MB is expected and normal for this type of software. The VirusTotal detections are false positives — CryptoNote/Monero-derived daemons are flagged by heuristic rules across all major AV vendors. This is documented and acknowledged by the Monero project itself.
4. c64miner.exe — 46/71 VirusTotal detections
c64miner is based on XMRig, the most widely used open-source CPU miner. XMRig is flagged by virtually every antivirus because the same binary is sometimes embedded in malware. The source code is fully public: github.com/oxynaz/c64chain-mainnet. The detection rate is identical to the official XMRig binary.
5. The central claim: "c64miner.exe initiates high-load mining immediately upon launching the wallet, before the user interacts with the UI"
This is factually incorrect. The miner binary is bundled with the wallet but does not execute until the user navigates to the Mining tab, enters a valid wallet address, and explicitly clicks the Start button. Both steps are required — if no wallet address is configured in the Mining tab, clicking Start does nothing. If you observed an immediate CPU spike at wallet launch, it came from c64chaind syncing the blockchain, not from the miner. I invite you to repeat the test with Process Monitor filtering specifically on c64miner.exe process creation — you will find it does not spawn at wallet launch.
The wallet is open source. The behavior is exactly as documented. I understand the concern — XMRig detections look alarming — but this is a known and documented false positive that affects all RandomX-based mining software including the official Monero GUI wallet.


I want to add one more point. When the user clicks Start in the Mining tab, a process explicitly named "XMRig miner" appears in Windows Task Manager at the expected CPU usage. When the user clicks Stop, the process terminates immediately.
A hidden cryptojacker does not label itself "XMRig miner" in Task Manager. A hidden cryptojacker does not stop when the user clicks a button. This is a miner that runs when you ask it to run, and stops when you ask it to stop. Anyone can verify this in 30 seconds by running the wallet and checking Task Manager themselves.


I want to add a few more points.
On the architecture of the wallet:
The Electron wallet bundles three components that all launch together: the node daemon (c64chaind.exe), the wallet RPC server (c64chain-wallet-rpc.exe), and the miner (c64miner.exe). This is not suspicious — it is the standard architecture for a self-contained CryptoNote wallet:

c64chaind.exe is the full node. It syncs the blockchain on startup, which explains the high RAM usage and CPU activity immediately upon launch.
c64chain-wallet-rpc.exe is the wallet RPC server. Without it, the wallet UI has no way to create transactions, check balances, or do anything wallet-related. It binds on 127.0.0.1:19740 — localhost only, not exposed to the network.
c64miner.exe is bundled but does not start automatically. It only executes when the user navigates to the Mining tab, enters a valid wallet address, and clicks Start.

The fact that everything communicates over 127.0.0.1 (localhost) is visible in the logs and confirms there is no external communication happening without user knowledge.
On the XMRig process:
When the user clicks Start in the Mining tab, a process explicitly named "XMRig miner" appears in Windows Task Manager. When the user clicks Stop, it terminates immediately. A hidden cryptojacker does not label itself "XMRig miner" in Task Manager. A hidden cryptojacker does not stop when the user clicks a button. Anyone can verify this in 30 seconds by running the wallet and checking Task Manager themselves.

[LoyceV]

As you can clearly see in these screenshots, the main process spawned sub-processes, and the Power Usage the second you launch it spiked to "Very High". c64chaind.exe alone consumed over 579 MB of RAM before I even touched a single button.

What does "very high power usage" mean in Windows? It's using 3.8% CPU, that doesn't look like it's running a miner. And 579 MB is unfortunately nothing special for the smallest thing with shitty coding. About the sub-processes: isn't that normal for anything that's multi-threaded?

I discovered that the program is designed to run entirely from these temporary folders and delete itself upon closing to erase all evidence of its activity.

How bad is that? Electrum AppImage for instance does the same.

Here is the the dropped executables and their VirusTotal analysis results:

I see a lot of lines about being a miner. But that's what the software is supposed to do. Would VirusTotal say the same about for instance monero-wallet-gui?

The red flags are hitting us in the face here.. A legit wallet does not silently drop hidden executables into Temp folders and peg the CPU at 100 % the second you open it without asking for permission.

Feather wallet also consumes high CPU at the start, Bitcoin Core does the same.

It's a Cryptojacking and not a false positive. That’s not a mining feature either it's a hidden backdoored miner.

In that case: how do you explain the 3.8% CPU consumption on your screenshot? I'd expect a miner to use all available resources continuously.

It loads the entire blockchain into memory on startup.

That's not very future-proof.

@albon: I'm no expert on malware, but oxynaz' explanation sounds plausible to me.

[albon]

Honestly, I wasn’t even planning to respond to you again @oxynaz, but since you’re using AI-style arguments to try to brush off the evidence I already showed and now that LoyceV replied here, I’ll address your claims one last time

1. Files dropped into %AppData%\Local\Temp
This is standard behavior for every Electron-based application......

Nice try, but Electron apps use Temp for cache and session stuff, they don't randomly extract and run binaries from there. That’s not normal behavior at all. .

3. c64chaind.exe — 579 MB RAM, 39/71 VirusTotal detections
c64chaind is a full CryptoNote node daemon. It loads the entire blockchain into memory on startup.

Loading the whole blockchain into memory? That just doesn’t make sense as no legit node especially Bitcoin-based loads everything into RAM. They use disk-based databases. This honestly just sounds like you’re trying to explain it away.

The miner binary is bundled with the wallet but does not execute until the user navigates to the Mining tab, enters a valid wallet address, and explicitly clicks the Start button.

Well, my ProcMon logs say otherwise. and the processes spawned the second I opened the wallet. no clicks, no input, nothing.

Check the video evidence for yourself: -> https://streamable.com/wh7ohc

Command Line: C:\Users\WDAGUtilityAccount\AppData\Local\Temp\3BTj5V0J4oKLCLRIexUwdotjTNQ\resources\bin\win\c64chaind.exe --rpc-bind-port=19641 --data-dir=C:\Users\WDAGUtilityAccount\AppData\Roaming\c64chain-wallet\c64chain --non-interactive --log-level=1 --no-zmq

The video at 04:33, you can clearly see the --non-interactive flag in the command line of c64chaind.exe. It literally tells the program to run in the background without asking for anything.





It shows the wallet instantly launching hidden processes and the miner from the Temp folder. No buttons clicked, no consent given. It’s all right there.

In that case: how do you explain the 3.8% CPU consumption on your screenshot? I'd expect a miner to use all available resources continuously.

@LoyceV, yeah that’s actually a fair point.. More advanced miners don’t just go 100% right away.. They often start low to avoid detection, then gradually increase usage over time. In this case, seeing Power Usage -> Very High while CPU usage is only -> 3.8% suggests there’s background activity that isn’t immediately visible. BTW, a lot of miners are designed to avoid detection. They keep CPU usage low at the start, then ramp it up later when the system is idle.

I see a lot of lines about being a miner. But that's what the software is supposed to do. Would VirusTotal say the same about for instance monero-wallet-gui?

Look closely at the "Threat Categories" in the VirusTotal sandbox analysis for C64



A clean miner like Monero GUI gets flagged as Miner or PUA (Riskware). But C64? It’s explicitly tagged as a Trojan. Three major sandboxes, Zenbox, CAPE, and C2AE, didn't just find a miner, they flagged the whole thing as MALWARE. These systems monitor behavior in real time, and what they saw lines up exactly with what I saw in ProcMon.

-----------------------------------------------------------------------
At the end, I’ll let the community and @LoyceV look at the facts and decide for themselves. The data is right there, and it doesn't lie.

[oxynaz]

Before anything else, I have a simple and direct question: can you indicate the exact timestamp in your video where c64miner.exe activates and pegs the CPU, without any mining action being triggered by the user? I watched the video carefully, multiple times, and I cannot see it. No miner process appears. No mining starts. The CPU does not spike to 100%. The user does not even create a wallet or navigate to the Mining tab. If your claim is accurate, pointing to the exact timestamp should take you 10 seconds.

Regarding --non-interactive: this flag is standard for daemon mode in all CryptoNote/Monero-derived software. It means the process does not prompt for keyboard input because it is managed programmatically by the Electron parent process. This is precisely the point of a GUI wallet — the user should never have to type commands or confirm anything in a terminal. Syncing a node requires no user input whatsoever. --non-interactive simply reflects that reality. It has nothing to do with hiding activity.

Regarding the VirusTotal detections: the official XMRig project itself is flagged by 40 antivirus engines on VirusTotal — this is documented in their own GitHub issue tracker: https://github.com/xmrig/xmrig/issues/1945. The Monero project officially acknowledges the same problem with their own wallet and miner on their FAQ page: https://www.getmonero.org/get-started/faq/#antivirus — they explicitly state this is because of the integrated miner being flagged by antivirus software as a false positive.

If you want a simple, reproducible, and factual test: open the wallet, create a wallet address, paste it into the Mining tab, and click Start. You will then see c64miner.exe spawn in Task Manager under the name "XMRig miner", and CPU usage will climb. Then click Stop — the process terminates immediately. That is the only way the miner starts. It does not start by itself. Ever.

As for the broader picture: C64 Chain currently has ~400 active miners across 5 pools, is listed on 2 exchanges, and has a Discord community of 380 members. These are people who have run the software, inspected it, and chosen to use it. Are they all wrong? The source code is fully public on GitHub for anyone to audit independently: https://github.com/oxynaz/c64chain-mainnet

I would also welcome the opinion of other technical members of this community who have reviewed the video and the evidence presented. If anyone can identify the exact timestamp where c64miner.exe activates and consumes 100% CPU without any user action, please point it out. The facts should speak for themselves.

[oxynaz]

Regarding the Temp folder behavior: this is the standard and documented behavior of portable Electron apps built with electron-builder. When a portable Electron app launches on Windows, it extracts its entire content — including all bundled binaries — into a temporary folder under %AppData%\Local\Temp, runs from there, and cleans up on exit. This is not specific to C64 Chain. It is a known and documented behavior discussed in the official electron-builder GitHub repository, where other developers report the exact same thing happening with their own apps: https://github.com/electron-userland/electron-builder/issues/3841 and https://github.com/electron-userland/electron-builder/issues/8739. The claim that "Electron apps don't randomly extract and run binaries from Temp" is factually incorrect for portable builds — this is precisely how portable Electron apps work by design.

[albon]

The source code is fully public on GitHub for anyone to audit independently: https://github.com/oxynaz/c64chain-mainnet

I have the archived version of the files you posted earlier. The SHA-256 hashes don't match your new 'clean' versions.




My video and ProcMon logs were recorded using the files YOU provided at the start of this [archived thread].

Re-uploading files to hide your tracks is the ultimate admission of guilt. If the software was clean as you claimed, you wouldn't have felt the need to swap the binaries the second you were caught.

Original File Archived here -> https://archive.ph/KxE8l

C64.Chain.Wallet.1.1.1.exe | sha256:b655ff2cf8720aa7e08a91979f296392e9c1c78d65b5fc633b4108849c9da157

C64.Chain.Wallet.Setup.1.1.1.exe | sha256:097bc93c7c82e8d7d1e760c3b7da708b2ebf014ba00571f71217ee05dce461ea

Why change the binaries exactly after I posted the ProcMon logs? If the software was 'clean,' the hashes would remain identical. This is a clear attempt to hide the Trojan behavior I documented in my video.

[oxynaz]

The binaries were updated because a legitimate bug fix was applied to the wallet — specifically a correction to the UTXO consolidation and gamma picker logic, which affected sweep_all behavior. This is normal software development. The commit and the changes are fully visible in the public GitHub repository for anyone to inspect. There is nothing hidden.

If you want to compare with the exact version you tested, I keep backups before every non-incremental update. I can provide the original binary so you can verify the SHA-256 hash yourself.

But let's be clear: none of this is relevant to your central claim. Whether the binary was updated or not does not change the core question I have been asking since the beginning, and which you have still not answered:

At what exact timestamp in your video does c64miner.exe start by itself and peg the CPU to 100%, without the user navigating to the Mining tab, entering a wallet address, and clicking Start?

That is the only thing that matters. Everything else is noise.

[oxynaz]

The difference between the two versions is straightforward and visible to anyone who runs both: the new version adds a UTXO consolidation button in the Send tab. This feature was added because sending large amounts required consolidating UTXOs first — a well-known and common requirement in CryptoNote/Monero-based wallets. That is the update. Nothing else changed.

Anyone can verify this by simply running both versions side by side.

And once again — this is still not the point. The point remains the same:

At what exact timestamp in your video does c64miner.exe start by itself and peg the CPU to 100%, without the user navigating to the Mining tab, entering a wallet address, and clicking Start?

You posted the video here yourself. I watched it multiple times. I do not see it. Point to the timestamp. That is the only thing that matters.

[(BTC)]

The difference between the two versions is straightforward and visible to anyone who runs both: the new version adds a UTXO consolidation button in the Send tab. This feature was added because sending large amounts required consolidating UTXOs first — a well-known and common requirement in CryptoNote/Monero-based wallets. That is the update. Nothing else changed.

Anyone can verify this by simply running both versions side by side.

And once again — this is still not the point. The point remains the same:

At what exact timestamp in your video does c64miner.exe start by itself and peg the CPU to 100%, without the user navigating to the Mining tab, entering a wallet address, and clicking Start?

You posted the video here yourself. I watched it multiple times. I do not see it. Point to the timestamp. That is the only thing that matters.

Look man, tomorrow is April Fools. You have a chance to play this scam off as a joke and possibly save face.