Malware Log Analysis

Start:: CloseProcesses: CMD: type C:\Users\admin\install.bat File: C:\Users\admin\install.bat Folder: C:\Users\Public\Documents\OnlineFix C:\WINDOWS\system32\Tasks\InteractiveServices HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\BraveSoftware\Brave: Restriction <==== ATTENTION HKLM\...\Run: [] => [X] HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1797156640-925654250-277916169-1001\...\Run: [] => [X] HKU\S-1-5-21-1797156640-925654250-277916169-1001\...\Run: [SignalRgb] => "C:\Users\admin\AppData\Local\VortxEngine\SignalRgbLauncher.exe" --silent (No File) HKU\S-1-5-21-1797156640-925654250-277916169-1001\...\Run: [MasterHUB] => "C:\Program Files\Cooler Master\MasterHUB\MasterHUB.exe" --openAsHidden (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S3 MSI_Center_Service; "C:\Program Files (x86)\MSI\MSI Center\MSI_Central_Service.exe" (No File) S3 cpuz159; \??\C:\WINDOWS\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File) S3 HWiNFO_214; \??\C:\Users\admin\AppData\Local\Temp\HWiNFO_x64_214.sys (No File) <==== ATTENTION S3 MpKsl643b01c8; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4A724E2F-8416-4918-9C8C-9524D285472F}\MpKslDrv.sys (No File) S3 mshield; \??\C:\Program Files\NordVPN\NordSec ThreatProtection\1.39.59.2\mshield.sys (No File) S3 travis; \??\C:\Program Files\NordVPN\NordSec ThreatProtection\1.39.59.2\travis.sys (No File) ContextMenuHandlers2: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File ContextMenuHandlers3: [ContextMenu] -> {ee10d625-cc60-30a4-b3df-4b349785be6b} => C:\Program Files (x86)\Avira\Security\Antivirus.ContextMenu\Antivirus.ContextMenu.DLL -> No File AlternateDataStreams: C:\Users\admin\AppData\Local\Temp:$DATA​ [16] StartPowershell: $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Hosts: C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::