Malware Log Analysis

shared / Potential-Bed7100
Login
content copied

content

Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: FirewallRules: [{70D016E6-FF8A-4732-B99A-EE0023334401}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) FirewallRules: [{04CBDCA7-09B0-4606-8499-FDFF2588F587}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) FirewallRules: [{3B9FF542-1041-42DB-B430-4C450BD52964}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) FirewallRules: [{9586AE9E-16CA-4DBE-AAC2-00BEBD31C9F3}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH) CustomCLSID: HKU\S-1-5-21-1787771925-2575633184-3858954954-1001_Classes\CLSID\{89b2b650-c4dd-d68b-46e7-3176f1973c8b}\localserver32 -> "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" -ToastActivated => No File AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [6792] AlternateDataStreams: C:\Users\user\Application Data:18adeef6ac3a2efac06bdc700a16e9d6 [394] AlternateDataStreams: C:\Users\user\Application Data:5a7a7919109c97d615ad7581cd492710 [394] AlternateDataStreams: C:\Users\user\AppData\Roaming:18adeef6ac3a2efac06bdc700a16e9d6 [394] AlternateDataStreams: C:\Users\user\AppData\Roaming:5a7a7919109c97d615ad7581cd492710 [394] AlternateDataStreams: C:\Users\user\AppData\Local\Temp:{67AD6FA5-2A7D-47de-A0C4-F04C8F26F841} [0] FirewallRules: [{448E4009-591C-4AC0-B288-AA1F7C31FEF6}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe => No File FirewallRules: [{9F3F59CC-170C-4E90-8509-147A2B4AA83D}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\VideoEditor.exe => No File FirewallRules: [{A0D51CE9-0516-4F82-9338-62C385730946}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe => No File FirewallRules: [{46E56BAF-A1CA-4E52-A6CC-06BDC6C5EB1B}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Activation.exe => No File FirewallRules: [{05A91701-ECBD-4E3C-A50C-0B42DD4B0B74}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe => No File FirewallRules: [{4BC746EE-51F9-4EC4-8905-9EBBDE26822D}] => (Allow) C:\Program Files\FlashIntegro\VideoEditor\Updater.exe => No File FirewallRules: [{3899BF75-D05C-45BA-9B8D-766D74B9E5A9}] => (Allow) C:\ProgramData\Nexon\NGM\NGM.exe => No File FirewallRules: [{5B4868AB-B2B5-41E5-BF0E-4D2B5840A6BF}] => (Allow) C:\ProgramData\Nexon\NGM\NGM.exe => No File FirewallRules: [{E37DA2C6-F594-41BD-98D4-C1C4D0649107}] => (Allow) C:\ProgramData\Nexon\Common\NMService.exe => No File FirewallRules: [{F360093E-C681-4A96-BC20-A30219D95AAB}] => (Allow) C:\ProgramData\Nexon\Common\NMService.exe => No File FirewallRules: [{1B125845-A5A6-4241-8BDF-AA876B2E3E61}] => (Allow) C:\ProgramData\Nexon\NGM\NGM64.exe => No File FirewallRules: [{A076646B-DE1B-47D5-855C-51747584D4D3}] => (Allow) C:\ProgramData\Nexon\NGM\NGM64.exe => No File FirewallRules: [{69A30F48-1E28-485C-8B16-7DEBEBEC0544}] => (Allow) C:\ProgramData\Nexon\Common\NexonMessenger.exe => No File FirewallRules: [{6FA3BDF5-A63B-4297-945B-0057D85E222A}] => (Allow) C:\ProgramData\Nexon\Common\NexonMessenger.exe => No File FirewallRules: [{F6CB8A58-AD28-4DD9-B85D-30F5626173EC}] => (Allow) C:\ProgramData\Nexon\Common\NexonMessenger.exe => No File FirewallRules: [{4B21A418-4ACF-4112-B877-D6614A552AC4}] => (Allow) C:\ProgramData\Nexon\Common\NexonMessenger.exe => No File FirewallRules: [{1EBB2C9D-9AC5-4D60-A147-C70E5AC0CB4B}] => (Allow) C:\Program Files (x86)\LetsView\LetsView\LetsView.exe => No File FirewallRules: [{2028F3A3-07FC-4843-98F0-8AA768B52EEB}] => (Allow) C:\Program Files (x86)\LetsView\LetsView\LetsView.exe => No File FirewallRules: [{FF3A2F20-8D6B-4A1B-A1AE-929449CC5FB3}] => (Allow) C:\Users\user\AppData\Roaming\Streamlabs\Streamlabs Chatbot\Streamlabs Chatbot.exe => No File FirewallRules: [{DA97E8F9-9220-49A3-927D-2ACF3EDD68C7}] => (Allow) C:\Users\user\AppData\Roaming\Streamlabs\Streamlabs Chatbot\Streamlabs Chatbot.exe => No File FirewallRules: [{4BB23042-3CAA-47C2-8B88-442031F8EF7C}] => (Allow) C:\Users\user\AppData\Roaming\Streamlabs\Streamlabs Chatbot\Streamlabs Chatbot.exe => No File FirewallRules: [{DB9D0388-756C-40DC-901D-B149A91A2C44}] => (Allow) C:\Users\user\AppData\Roaming\Streamlabs\Streamlabs Chatbot\Streamlabs Chatbot.exe => No File FirewallRules: [TCP Query User{3506F224-D33A-4079-B235-6C1842EEC118}C:\users\user\appdata\local\vysor\app-3.1.4\vysor.exe] => (Allow) C:\users\user\appdata\local\vysor\app-3.1.4\vysor.exe => No File FirewallRules: [UDP Query User{89A5643D-F9A2-4C3E-A10A-40425DF4E311}C:\users\user\appdata\local\vysor\app-3.1.4\vysor.exe] => (Allow) C:\users\user\appdata\local\vysor\app-3.1.4\vysor.exe => No File FirewallRules: [TCP Query User{783A3185-D7CF-4D00-9B04-9AF3BFFAF36D}C:\users\user\appdata\local\roblox\versions\version-0ffd0cc0630345e3\robloxstudiobeta.exe] => (Allow) C:\users\user\appdata\local\roblox\versions\version-0ffd0cc0630345e3\robloxstudiobeta.exe => No File FirewallRules: [UDP Query User{C325DAA9-D9AD-46F0-8833-578BF049A0CE}C:\users\user\appdata\local\roblox\versions\version-0ffd0cc0630345e3\robloxstudiobeta.exe] => (Allow) C:\users\user\appdata\local\roblox\versions\version-0ffd0cc0630345e3\robloxstudiobeta.exe => No File FirewallRules: [TCP Query User{A8A0FEE7-7A15-4F7B-8DEE-367BB672B583}C:\users\user\desktop\a.dance.of.fire.and.ice.build.5305294\a dance of fire and ice\a dance of fire and ice.exe] => (Allow) C:\users\user\desktop\a.dance.of.fire.and.ice.build.5305294\a dance of fire and ice\a dance of fire and ice.exe => No File FirewallRules: [UDP Query User{EBBDEE00-F5CD-4904-B8F1-6CAB27379787}C:\users\user\desktop\a.dance.of.fire.and.ice.build.5305294\a dance of fire and ice\a dance of fire and ice.exe] => (Allow) C:\users\user\desktop\a.dance.of.fire.and.ice.build.5305294\a dance of fire and ice\a dance of fire and ice.exe => No File FirewallRules: [{0087C332-E36B-4E62-A5FA-50AE998D7DE2}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe => No File FirewallRules: [{821D8043-57D8-40E6-9E3B-224720F307FB}] => (Allow) C:\Program Files\Nox\bin\Nox.exe => No File FirewallRules: [{F77963B8-533C-4258-859B-574A1611BF1A}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File FirewallRules: [{3E125C33-80EF-4AAA-8EE2-38B4069C0E1F}] => (Allow) C:\Users\user\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File FirewallRules: [{B88BFC90-8928-4F1B-B042-83AE9CF61DA6}] => (Allow) C:\Users\user\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File FirewallRules: [TCP Query User{8B930EFA-D244-46DB-82F6-7FBEBCE78C3A}C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe] => (Allow) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe => No File FirewallRules: [UDP Query User{1246DE25-0733-467F-9B0C-8B96CA49B2E3}C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe] => (Allow) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe => No File FirewallRules: [{20950B18-6F6D-439D-A658-B721533B8812}] => (Block) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe => No File FirewallRules: [{9583D16A-7183-4724-BD85-E23DF684A6A1}] => (Block) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.7b\phoenixminer.exe => No File FirewallRules: [TCP Query User{854B7A37-A4BF-4901-B4F4-4A726A06BC5D}C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.5c\phoenixminer.exe] => (Block) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.5c\phoenixminer.exe => No File FirewallRules: [UDP Query User{CFACFC40-6198-4DD5-B48B-DCAF70D61EE6}C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.5c\phoenixminer.exe] => (Block) C:\users\user\appdata\roaming\salad\plugin-bin\phoenixminer-5.5c\phoenixminer.exe => No File FirewallRules: [TCP Query User{6331F8DF-C350-4386-8AE4-74AAAFC3DFA3}C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe => No File FirewallRules: [UDP Query User{C3B5F52C-15FA-4FB2-8CEF-C2C087087F47}C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe => No File FirewallRules: [{92DAB8A9-3471-4F98-A149-568F3CA4028C}] => (Block) C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe => No File FirewallRules: [{03E12D17-D98A-4A63-A416-B44FA7364DDF}] => (Block) C:\users\user\appdata\local\discord\app-1.0.9003\discord.exe => No File FirewallRules: [TCP Query User{876E58DC-2C95-4914-8698-F8BB60EFD15B}C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe => No File FirewallRules: [UDP Query User{79831B38-CB36-485C-AF60-F62D03B32AE1}C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe => No File FirewallRules: [{EA934A59-6AE2-432C-9C49-DE0C595C6478}] => (Block) C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe => No File FirewallRules: [{63CA374D-D503-4B4C-81AD-973F0B08D4CC}] => (Block) C:\users\user\appdata\local\discord\app-1.0.9004\discord.exe => No File FirewallRules: [TCP Query User{84FC750E-190F-4549-8EAD-73CBFA6F1EA7}C:\users\user\appdata\local\programs\badpanda-react\gif your game.exe] => (Allow) C:\users\user\appdata\local\programs\badpanda-react\gif your game.exe => No File FirewallRules: [UDP Query User{22970947-5181-4A93-82F6-C37818A97F61}C:\users\user\appdata\local\programs\badpanda-react\gif your game.exe] => (Allow) C:\users\user\appdata\local\programs\badpanda-react\gif your game.exe => No File FirewallRules: [TCP Query User{3607BF65-893B-47FE-8532-072EE15F6C45}C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe] => (Allow) C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe => No File FirewallRules: [UDP Query User{929D1BB3-D1B2-4B48-9F42-F674F3304DE8}C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe] => (Allow) C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe => No File FirewallRules: [{FF3AF3B5-512E-4E5D-8D09-324D403B48B6}] => (Block) C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe => No File FirewallRules: [{22613985-72FD-4AC9-BEF7-C5CFB992495E}] => (Block) C:\users\user\appdata\local\vortxengine\app-2.2.25\signal-x64\signalrgb.exe => No File FirewallRules: [TCP Query User{D30E2F00-4477-4D38-B70B-B0255B17352B}C:\users\user\appdata\local\discord\app-1.0.9007\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9007\discord.exe => No File FirewallRules: [UDP Query User{956928CA-4401-4440-AF3B-4AECC9DC7B11}C:\users\user\appdata\local\discord\app-1.0.9007\discord.exe] => (Allow) C:\users\user\appdata\local\discord\app-1.0.9007\discord.exe => No File FirewallRules: [TCP Query User{B37EC87D-A4BC-40B2-8CB1-69776452877D}C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe => No File FirewallRules: [UDP Query User{ECF7FFEC-D809-46B3-901C-4579D8D641D0}C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe => No File FirewallRules: [{430BBA79-EC96-40C6-844C-479B942D6521}] => (Allow) C:\Users\user\AppData\Roaming\BitTorrent Web\btweb.exe => No File FirewallRules: [{B93379A9-B596-474C-821C-A229DFC46C49}] => (Allow) C:\Users\user\AppData\Roaming\BitTorrent Web\btweb.exe => No File FirewallRules: [{90C71C44-2E4F-4232-ABDB-73ECDF79E15E}] => (Allow) C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe => No File FirewallRules: [TCP Query User{9ABDFBCA-3785-43D9-BB8A-2DEA2410A6E6}C:\program files\resanance\resanance.exe] => (Allow) C:\program files\resanance\resanance.exe => No File FirewallRules: [UDP Query User{9818F4A7-1FFA-4F39-95B1-797384E90AD4}C:\program files\resanance\resanance.exe] => (Allow) C:\program files\resanance\resanance.exe => No File FirewallRules: [TCP Query User{81E4E657-31D9-416B-8E3E-962072BC95CC}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File FirewallRules: [UDP Query User{149D707A-147F-4526-BB7E-2DFC6B88FFC9}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File FirewallRules: [TCP Query User{D467E720-8004-4D7B-A6BD-97839DE89DB4}C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe] => (Allow) C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe => No File FirewallRules: [UDP Query User{FCAF6829-1922-42F9-B23A-0E4834E1273F}C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe] => (Allow) C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe => No File FirewallRules: [{6F06D4A9-95EA-49DF-9F78-7EA87E8A638A}] => (Block) C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe => No File FirewallRules: [{BBBBA662-1A0B-44CF-BBEC-6E362143DE8A}] => (Block) C:\users\user\desktop\geometry.dash.v07.24.2021\geometry.dash.v07.24.2021\geometrydash.exe => No File FirewallRules: [TCP Query User{2CA1C211-3144-4CCA-A579-20A01472AD7A}C:\program files\epic games\fallguys\fallguys_client_game.exe] => (Allow) C:\program files\epic games\fallguys\fallguys_client_game.exe => No File FirewallRules: [UDP Query User{D714AB96-0CEF-4D9B-B011-B016928108DD}C:\program files\epic games\fallguys\fallguys_client_game.exe] => (Allow) C:\program files\epic games\fallguys\fallguys_client_game.exe => No File FirewallRules: [TCP Query User{370F5786-B8FD-4512-8F97-E0947ACD5128}C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe => No File FirewallRules: [UDP Query User{3527A6CC-0E0B-49E9-B655-0D2B7B97B77D}C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fps chess\fpschess\binaries\win64\fpschess-win64-shipping.exe => No File FirewallRules: [{AE2CD2E2-417F-47DB-896B-FF2748278139}] => (Allow) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_4fc38a913e0f2ea5\ASUSLinkRemote\AsusLinkRemoteAgent.exe => No File FirewallRules: [{B3B33CDD-FDD5-427E-AA29-B66558D1CA48}] => (Allow) C:\Windows\System32\DriverStore\FileRepository\asussci2.inf_amd64_4fc38a913e0f2ea5\ASUSLinkRemote\AsusLinkRemoteAgent.exe => No File FirewallRules: [TCP Query User{0C228A05-BA19-46FA-AEEE-33B0995D6D56}C:\users\user\appdata\local\programs\nicehash miner\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\bins\22.0\1.76a\lolminer.exe] => (Allow) C:\users\user\appdata\local\programs\nicehash miner\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\bins\22.0\1.76a\lolminer.exe => No File FirewallRules: [UDP Query User{A4CCCDA9-3521-485E-AC2B-3B7D11D62977}C:\users\user\appdata\local\programs\nicehash miner\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\bins\22.0\1.76a\lolminer.exe] => (Allow) C:\users\user\appdata\local\programs\nicehash miner\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\bins\22.0\1.76a\lolminer.exe => No File FirewallRules: [TCP Query User{BD46852E-676F-450F-B348-66C5BB10F34A}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [UDP Query User{20DFE1B2-720B-477F-AEF7-9AA09CB41748}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe (No File) HKLM\...\Run: [UniConverterUpdateHelper] => C:\Program Files (x86)\Wondershare\Wondershare UniConverter 14 for Windows (CPC)\WSVCUUpdateHelper.exe (No File) HKU\S-1-5-21-1787771925-2575633184-3858954954-1001\...\Run: [SignalRgb] => "C:\Users\user\AppData\Local\VortxEngine\SignalRgbLauncher.exe" --silent (No File) HKU\S-1-5-21-1787771925-2575633184-3858954954-1001\...\Run: [btweb] => "C:\Users\user\AppData\Roaming\BitTorrent Web\btweb.exe" /MINIMIZED (No File) Task: {F14FAF03-0C17-4DED-89D9-A9B4F1D9DDE5} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File) FF Plugin: @videolan.org/vlc,version=3.0.16 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] FF Plugin-x32: @nexon.com/NxGame -> C:\ProgramData\Nexon\NGM\npNxGame.dll [No File] U3 aswbdisk; no ImagePath S2 speedfan; \??\C:\Windows\SysWOW64\speedfan.sys (No File) S3 VOICEMOD_Driver; \SystemRoot\system32\drivers\mvvad.sys (No File) HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION StartPowerShell: # This snippet uses Sysinternals Sigcheck to upload file on VirusTotal. # Change the line containing the string "INSERTFILEPATHHERE" to the desired filepath # --- # It displays the following: entropy, file hashes, catalog name & signing chain, VirusTotal scan results and link to it. # It is also able to traverse symbolic links and directory junctions. # --- # NOTE: If the file is not known prior, it gets uploaded to VirusTotal and the result will be available in a few minutes. # You can search up the report by visiting the URL "https://www.virustotal.com/gui/file/<SHA256>" $TempDir = [System.IO.Path]::GetTempPath() $ZipPath = Join-Path $TempDir "SigcheckFRST.zip" $ExtractPath = Join-Path $TempDir "SigcheckFRST" Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sigcheck.zip" -OutFile $ZipPath -UseBasicParsing if (Test-Path $ExtractPath) { Remove-Item $ExtractPath -Recurse -Force } Expand-Archive -Path $ZipPath -DestinationPath $ExtractPath -Force $SigcheckExe = Join-Path $ExtractPath "sigcheck.exe" if (Test-Path $SigcheckExe) { $psi = New-Object System.Diagnostics.ProcessStartInfo $psi.FileName = $SigcheckExe $psi.Arguments = '-accepteula -a -h -i -m -l -vt -vs -nobanner "C:\Windows\SysWOW64\TUCTLSystem.exe"' $psi.RedirectStandardOutput = $true $psi.StandardOutputEncoding = [System.Text.Encoding]::Unicode $psi.UseShellExecute = $false $psi.CreateNoWindow = $true $p = [System.Diagnostics.Process]::Start($psi) $output = $p.StandardOutput.ReadToEnd() $p.WaitForExit() Write-Output $output } else { Write-Host "Error: Sigcheck does not exist" } Remove-Item $ZipPath -Force EndPowerShell: R2 TUCtlSystem; C:\Windows\SysWOW64\TUCTLSystem.exe [383856 2021-10-27] (Teruten, Inc. -> Teruten.inc) <==== ATTENTION C:\Windows\SysWOW64\TUCTLSystem.exe StartPowershell: # This snippet removes all Windows Defender exclusions Try { $Paths=(Get-MpPreference).ExclusionPath $Extensions=(Get-MpPreference).ExclusionExtension $Processes=(Get-MpPreference).ExclusionProcess foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop } foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop } foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop } } Catch { Write-Error "Error occurred while removing Windows Defender exclusions: $_" } EndPowershell: Comment: This snippet reverts User Account Control to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000005 "ConsentPromptBehaviorUser"=dword:00000003 "EnableLUA"=dword:00000001 EndRegedit: Folder: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62 IFEO\WINDOWS10UPGRADERAPP.EXE: [Debugger] * IFEO\Windows10Upgrade.exe: [Debugger] * IFEO\WaasMedicAgent.exe: [Debugger] * IFEO\WaaSMedic.exe: [Debugger] * IFEO\UsoClient.exe: [Debugger] * IFEO\UPFC.EXE: [Debugger] * IFEO\UpdateAssistant.exe: [Debugger] * IFEO\SIHClient.exe: [Debugger] * IFEO\remsh.exe: [Debugger] * IFEO\MUSNOTIFICATIONUX.EXE: [Debugger] * IFEO\MusNotification.exe: [Debugger] * IFEO\InstallAgent.exe: [Debugger] * IFEO\EOSNOTIFY.EXE: [Debugger] * IFEO\dismHost.exe: [Debugger] * 2021-10-03 03:57 - 2019-12-07 11:10 - 000065440 _____ (Microsoft Corporation) C:\Users\user\AppData\Roaming\RegAsm.exe 2021-10-03 03:56 - 2021-10-03 03:56 - 000893608 _____ (AutoIt Team) C:\Users\user\AppData\Roaming\Irrequieto.exe.com 2021-10-03 02:56 - 2021-10-03 09:01 - 000000203 _____ () C:\Users\user\AppData\Roaming\jjv5conf.json StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::