FacexWorm Chrome Browser Extension Audit
SoftwareFind Computers With the Cryptojacking Filled Extensions
Lansweeper’s performance scanning lets you scan detailed performance data from assets such as CPU, memory, disk and network usage. These performance details can be vital in many scenarios like preventing bottlenecks in your environment, migration projects from physical hardware to virtual environment or cloud migration. Additionally, you can keep an eye on the performance data of machines which might provide indications of cryptojacking software being present on the machine. You can find more ways to detect possible cryptojacking software in our cryptojacking blog post.
The report below is specifically crafted to closely monitor CPU usage over a 2 week period. Including different metrics like the average CPU usage in the past 7 days, average CPU usage in the previous week, average CPU usage during the day and during the night in the last 14 days.
FacexWorm Chrome Extension Audit Query
Select Top 1000000 tsysOS.Image As icon, tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, tblAssets.IPAddress, Case When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> '' Then 'Yes' Else 'No' End As ExtensionsFound, Case When TsysLastscan.Lasttime < GetDate() - 1 Then 'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.' End As Comment, tblAssets.Lastseen, tblAssets.Lasttried, TsysLastscan.Lasttime As LastRegistryScan From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode Left Join (Select Top 1000000 tblRegistry.AssetID, tblRegistry.Regkey, tblRegistry.Valuename, tblRegistry.Value, tblRegistry.Lastchanged From tblRegistry Where tblRegistry.Regkey Like '%Software\Google\Chrome\PreferenceMACs\Default\extensions.settings' And (tblRegistry.Valuename = 'akoefpoebeaikfcpoghppjcnhklffcjm' Or tblRegistry.Valuename = 'ecfpnbgianoaiocjciahnkfognimimhf' Or tblRegistry.Valuename = 'fanjaialdpcmadoodgppaaaldpccaedc' Or tblRegistry.Valuename = 'jolmnflkapibjdpmiiofkopkdgklckll' Or tblRegistry.Valuename = 'kojocamkjcbpcnibahfhomfjnliglfeo')) SubQuery1 On SubQuery1.AssetID = tblAssets.AssetID Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' Order By tblAssets.Domain, tblAssets.AssetName