Malware Log Analysis

shared / iku_kidochan
content copied

content

Start:: CloseProcesses: Folder: C:\Users\petch\AppData\LocalLow\OneUp Folder: C:\Users\petch\AppData\Local\Homu File: C:\Users\petch\AppData\Roaming\ECX.ecx C:\Users\petch\AppData\Roaming\2f050d00-f4b7-471e-a2bf-f2dee7b60e8b.tmp C:\Users\petch\AppData\Roaming\e0a424b3-12d7-4b29-a4bb-8720aa1acd9e.tmp HKLM\...\Run: [RZSurroundHelper] => C:\WINDOWS\system32\RZSurroundHelper.exe (No File) HKU\S-1-5-21-516243441-1516239599-2232960906-1001\...\Run: [com.blitz.app] => "C:\Users\petch\AppData\Local\Programs\Blitz\Blitz.exe" --autostart (No File) HKU\S-1-5-21-516243441-1516239599-2232960906-1001\...\Run: [ASRock A-Tuning] => [X] HKU\S-1-5-21-516243441-1516239599-2232960906-1001\...\MountPoints2: {cbbb573f-1dd5-11f0-a72d-7085c2cf4dbf} - "E:\Setup.exe" S3 cpuz158; \??\C:\WINDOWS\temp\cpuz158\cpuz158_x64.sys (No File) <==== ATTENTION S1 dtytruvq; \??\C:\WINDOWS\system32\drivers\dtytruvq.sys (No File) U4 npcap_wifi; no ImagePath S4 NvModuleTracker; \SystemRoot\System32\DriverStore\FileRepository\nvmoduletracker.inf_amd64_ea6cec41fc5b2a8b\NvModuleTracker.sys (No File) S3 SIUSBXP; \??\C:\Windows\system32\drivers\SiUSBXp.sys (No File) 2026-01-16 19:39 - 2026-01-16 19:39 - 000000048 ____R () C:\Users\petch\AppData\Local\0119AC2FC90D95AC063B177717B7B3B6 2025-02-28 22:41 - 2025-02-28 22:41 - 000000048 ___RH () C:\Users\petch\AppData\Local\13D1B6CB387E85040654D943206492DD 2025-02-28 22:46 - 2025-02-28 22:46 - 000000048 ___RH () C:\Users\petch\AppData\Local\2496A805DFEF1415DC09E8B53868CA9D 2024-01-19 19:27 - 2024-01-19 19:27 - 000006008 ____H () C:\Users\petch\AppData\Local\9560874769 2024-01-28 17:42 - 2024-01-28 17:42 - 000005350 ____H () C:\Users\petch\AppData\Local\9696189605 2024-12-20 23:05 - 2024-12-20 23:05 - 000000048 ___RH () C:\Users\petch\AppData\Local\EC25B210E0C8CCC17AB89C9061E9CAFD CustomCLSID: HKU\S-1-5-21-516243441-1516239599-2232960906-1001_Classes\CLSID\{52146D8E-DB34-4318-BD40-D061EE9C05C5}\localserver32 -> "NAVER.WIN32_LINEwin8_8ptj331gd3tyt!LINE" -ToastActivated => No File CustomCLSID: HKU\S-1-5-21-516243441-1516239599-2232960906-1001_Classes\CLSID\{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}\InprocServer32 -> C:\Users\petch\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20130.1\x64\Microsoft.Teams.AddinLoader.dll => No File CustomCLSID: HKU\S-1-5-21-516243441-1516239599-2232960906-1001_Classes\CLSID\{d1b22d3d-8585-53a6-acb3-0e803c7e8d2a}\localserver32 -> "C:\Users\petch\AppData\Local\Microsoft\Teams\current\Teams.exe" --toast => No File AlternateDataStreams: C:\WINDOWS\tracing:? [12] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log:F107EE40EF [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log_backup1:2DD1EC5C91 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer10.log:CCC93B07B0 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer11.log:72C8986B20 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer12.log:C40F6B9209 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer13.log:AE3C879266 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer13.log_backup1:AF8AA3CDC1 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer14.log:DE1448F4D7 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer15.log:16B67B15CB [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer2.log:CCB2353F35 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer2.log_backup1:0544EFE2DB [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer3.log:8A1F56CED6 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer3.log_backup1:A473474DD2 [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer4.log:3B2EC2BDEF [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer4.log_backup1:DC5D04D24A [4298] AlternateDataStreams: C:\ProgramData\DisplaySessionContainer5.log:84BD5AAA09 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop 2020.lnk:1A5FAF1E4E [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro 2019.lnk:773C8C4528 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk:B026C77744 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk:09A0A90EF3 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.10.22.lnk:963589C917 [4298] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HUMANKIND™.lnk:5BC4153DEF [4298] Comment: This snippet reverts User Account Control to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000005 "ConsentPromptBehaviorUser"=dword:00000003 "EnableLUA"=dword:00000001 EndRegedit: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::