Jump to content

Recommended Posts

I recently had a seemingly random Run as Administrator request unrelated to my current actions. (Was browsing discord) The file originated from a temp folder and before I could inspect the file the folder has disappeared. Should I be concerned, I am familiar with obviously scummy files and malicious code however this is not obvious to me just yet.

 

Log Name:      Windows PowerShell
Source:        PowerShell
Date:          2/28/2024 4:58:00 PM
Event ID:      400
Task Category: Engine Lifecycle
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      DESKTOP-LH7RC0M
Description:
Engine state is changed from None to Available. 

Details: 
	NewEngineState=Available
	PreviousEngineState=None

	SequenceNumber=13

	HostName=ConsoleHost
	HostVersion=5.1.19041.4046
	HostId=cdca8e4a-1e68-4b84-8349-fefbf523be1d
	HostApplication=powershell.exe Start-Process -FilePath 'C:\Users\Volk\AppData\Local\Temp\c31505e3a96357be5f6864f1325e67fb\execute.bat' -WindowStyle hidden -Verb runAs
	EngineVersion=5.1.19041.4046
	RunspaceId=4b820d32-4127-4324-97e2-2f25a29d9593
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="PowerShell" />
    <EventID Qualifiers="0">400</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>4</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2024-02-28T21:58:00.0667758Z" />
    <EventRecordID>10019</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Windows PowerShell</Channel>
    <Computer>DESKTOP-LH7RC0M</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Available</Data>
    <Data>None</Data>
    <Data>	NewEngineState=Available
	PreviousEngineState=None

	SequenceNumber=13

	HostName=ConsoleHost
	HostVersion=5.1.19041.4046
	HostId=cdca8e4a-1e68-4b84-8349-fefbf523be1d
	HostApplication=powershell.exe Start-Process -FilePath 'C:\Users\Volk\AppData\Local\Temp\c31505e3a96357be5f6864f1325e67fb\execute.bat' -WindowStyle hidden -Verb runAs
	EngineVersion=5.1.19041.4046
	RunspaceId=4b820d32-4127-4324-97e2-2f25a29d9593
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=</Data>
  </EventData>
</Event>

 

Link to post
Share on other sites

@vivalavolk 

Please do the following so that we may take a closer look at your system.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and then do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine 


image.png.79d4442a821713608fa60808a98c2e69.png 

image.png.98d86a6c3017d2bbba48877ea4f6ba45.png

  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

     

Thank you

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.