Malware Log Analysis

Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: 2026-05-09 17:36 - 2026-05-09 17:36 - 000000000 ____D C:\Users\JustinB\rr.exe 2026-05-10 07:03 - 2024-05-28 17:35 - 000000000 ____D C:\Users\JustinB\AppData\Roaming\RenPy Task: {5754025A-01B8-4DED-8FEC-CA32DAFBAE4E} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) 2025-01-03 16:14 - 2025-01-03 16:14 - 000000048 ____R () C:\Users\JustinB\AppData\Local\7429A8E9E9FA6C3A32861A3E7483D741 CustomCLSID: HKU\S-1-5-21-3516550663-2093197974-1224288554-1002_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> => No File FirewallRules: [{826552AC-05E9-44F5-91BE-AFFA4F4F0E3B}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\cod.exe => No File FirewallRules: [{A4D0F2F8-00E1-41D1-A3BC-B3BD931BA233}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\codCrashHandler.exe => No File FirewallRules: [{09175E61-260B-44B2-A239-2726BE4599A9}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\bootstrapper.exe => No File FirewallRules: [{2112201C-D20D-45F9-8C20-8CDDF5B4C353}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\cod23\codCrashHandler.exe => No File FirewallRules: [{4E525810-D6A0-4A14-B6B0-63F69DC77786}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\cod23\cod23-cod.exe => No File FirewallRules: [{50D49AFF-8F56-48BD-A2F2-B82C8CF98EE5}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\cod22\codCrashHandler.exe => No File FirewallRules: [{26957501-D28E-4DD1-B606-0C9BE19A9797}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\cod22\cod22-cod.exe => No File FirewallRules: [{8D74E7D7-C29E-40F2-821F-E2DBEF5AADAC}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\sp24\codCrashHandler.exe => No File FirewallRules: [{BE415285-2215-4F6D-96FA-17E6B39C4F5B}] => (Allow) C:\Program Files (x86)\Call of Duty\_retail_\sp24\sp24-cod.exe => No File FirewallRules: [UDP Query User{ABE5E2A2-BB03-4D81-9CBA-0189B1A81E38}C:\users\justinb\downloads\rise of a porn star\rise of a porn star.exe] => (Block) C:\users\justinb\downloads\rise of a porn star\rise of a porn star.exe => No File FirewallRules: [TCP Query User{57167369-A5B8-4416-BEF4-39F1AC331E78}C:\users\justinb\downloads\rise of a porn star\rise of a porn star.exe] => (Block) C:\users\justinb\downloads\rise of a porn star\rise of a porn star.exe => No File FirewallRules: [UDP Query User{19BEBD85-E156-4EF7-89EE-CF3BAB49BC6F}C:\program files (x86)\call of duty\_retail_\cod22\cod22-cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod22\cod22-cod.exe => No File FirewallRules: [TCP Query User{A5E6D10F-B127-4165-8A0A-E52FB9156448}C:\program files (x86)\call of duty\_retail_\cod22\cod22-cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod22\cod22-cod.exe => No File FirewallRules: [UDP Query User{59A18B05-67CB-4EBE-9757-0D6AF6A2ED3A}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File FirewallRules: [TCP Query User{327B5223-DA0F-439C-94D0-92D63763E17B}C:\program files (x86)\call of duty\_retail_\cod.exe] => (Allow) C:\program files (x86)\call of duty\_retail_\cod.exe => No File FirewallRules: [UDP Query User{06B5B8E8-74AF-41D7-9F34-F434E25998AF}C:\users\justinb\downloads\hot & lewd miami\hot & lewd miami.exe] => (Block) C:\users\justinb\downloads\hot & lewd miami\hot & lewd miami.exe => No File FirewallRules: [TCP Query User{ABB90AAC-F79D-4D16-9955-3DC532911C11}C:\users\justinb\downloads\hot & lewd miami\hot & lewd miami.exe] => (Block) C:\users\justinb\downloads\hot & lewd miami\hot & lewd miami.exe => No File FirewallRules: [UDP Query User{58E03078-4DD4-4430-A208-9734307345BF}C:\users\justinb\downloads\summerclover v1.09\summerclover.exe] => (Block) C:\users\justinb\downloads\summerclover v1.09\summerclover.exe => No File FirewallRules: [TCP Query User{452DB69C-17BB-4C9E-B293-2C243D9F921E}C:\users\justinb\downloads\summerclover v1.09\summerclover.exe] => (Block) C:\users\justinb\downloads\summerclover v1.09\summerclover.exe => No File FirewallRules: [UDP Query User{CA72FA8E-1858-4AC3-AEB0-8798F2D82697}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File FirewallRules: [TCP Query User{72589705-9491-4639-B7C5-86A23DBFB6D7}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File FirewallRules: [UDP Query User{E94A631C-E82B-4D60-B136-DF2613211A35}C:\users\justinb\downloads\love_n_war_warlord_by_chance_v2.1.1_r18\warlordbychance.exe] => (Block) C:\users\justinb\downloads\love_n_war_warlord_by_chance_v2.1.1_r18\warlordbychance.exe => No File FirewallRules: [TCP Query User{08E3C003-E7CA-4DCE-A42C-FC80DD06BFD1}C:\users\justinb\downloads\love_n_war_warlord_by_chance_v2.1.1_r18\warlordbychance.exe] => (Block) C:\users\justinb\downloads\love_n_war_warlord_by_chance_v2.1.1_r18\warlordbychance.exe => No File FirewallRules: [{CFC57F07-E95F-4106-8E33-021F6E2BEFA1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{BDE6931A-1171-45B1-9728-271C8D4D8231}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{B7D34F72-5CA7-409C-830E-6D132340DD14}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [UDP Query User{C3160794-B81E-4D09-84B5-897116406F83}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [{E334CF73-A583-4421-BCA5-727AFA187DA2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Cities Skylines II\Launcher\dowser.exe => No File FirewallRules: [{3BD35421-D2C1-41DF-BA58-A778EB7F0B73}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Cities Skylines II\Launcher\dowser.exe => No File FirewallRules: [TCP Query User{BFB8A57B-0B5F-4F27-93B9-7D5CA3DD831A}C:\users\justinb\downloads\quickie a love hotel story-v1.0-cracked\quickie a love hotel story.exe] => (Allow) C:\users\justinb\downloads\quickie a love hotel story-v1.0-cracked\quickie a love hotel story.exe => No File FirewallRules: [UDP Query User{C7869B63-8AF8-4C97-BA54-04C87C4C16AF}C:\users\justinb\downloads\quickie a love hotel story-v1.0-cracked\quickie a love hotel story.exe] => (Allow) C:\users\justinb\downloads\quickie a love hotel story-v1.0-cracked\quickie a love hotel story.exe => No File FirewallRules: [TCP Query User{D5471431-1893-4E56-B560-19424A5FE290}C:\users\justinb\downloads\love n life lucky teacher v3.3.0 fulldlc\lucky teacher.exe] => (Allow) C:\users\justinb\downloads\love n life lucky teacher v3.3.0 fulldlc\lucky teacher.exe => No File FirewallRules: [UDP Query User{04016FB9-5D95-4554-AA89-26221521BBB2}C:\users\justinb\downloads\love n life lucky teacher v3.3.0 fulldlc\lucky teacher.exe] => (Allow) C:\users\justinb\downloads\love n life lucky teacher v3.3.0 fulldlc\lucky teacher.exe => No File FirewallRules: [TCP Query User{2FBC1B0E-FA76-48E1-A3C5-4FC78DCFCEEB}C:\gitrepos\handyman fantasy 2025-06-24\handymanfantasy.exe] => (Block) C:\gitrepos\handyman fantasy 2025-06-24\handymanfantasy.exe => No File FirewallRules: [UDP Query User{D9A8589A-9AF5-454F-8D39-DDAA1AB652E7}C:\gitrepos\handyman fantasy 2025-06-24\handymanfantasy.exe] => (Block) C:\gitrepos\handyman fantasy 2025-06-24\handymanfantasy.exe => No File FirewallRules: [TCP Query User{16F3DA06-2C42-45D3-8049-6D7CA0CA290C}C:\users\justinb\downloads\futanari_coffeeshop\cs.exe] => (Allow) C:\users\justinb\downloads\futanari_coffeeshop\cs.exe => No File FirewallRules: [UDP Query User{67F9AA83-C48C-49BB-8A16-572018546BCE}C:\users\justinb\downloads\futanari_coffeeshop\cs.exe] => (Allow) C:\users\justinb\downloads\futanari_coffeeshop\cs.exe => No File FirewallRules: [TCP Query User{E38DBE52-BFE7-40E9-91B0-F8AC77BB814C}C:\users\justinb\downloads\become a vtuber!\v-lover.exe] => (Allow) C:\users\justinb\downloads\become a vtuber!\v-lover.exe => No File FirewallRules: [UDP Query User{0FB48035-90C2-46E3-BFA7-B065CCA4ED7C}C:\users\justinb\downloads\become a vtuber!\v-lover.exe] => (Allow) C:\users\justinb\downloads\become a vtuber!\v-lover.exe => No File FirewallRules: [TCP Query User{3EDE38C1-455B-40C5-9C0E-6102C31085F6}C:\users\justinb\downloads\jerezarena iii 1.0.23\jerezarena_3.exe] => (Allow) C:\users\justinb\downloads\jerezarena iii 1.0.23\jerezarena_3.exe => No File FirewallRules: [UDP Query User{CA09A459-8665-4F6B-AEBF-F55E889465E2}C:\users\justinb\downloads\jerezarena iii 1.0.23\jerezarena_3.exe] => (Allow) C:\users\justinb\downloads\jerezarena iii 1.0.23\jerezarena_3.exe => No File FirewallRules: [TCP Query User{BFDB3469-2F0E-48AE-B221-C7FD1AB9D71A}C:\program files\epic games\xcom2\binaries\win64\xcom2.exe] => (Allow) C:\program files\epic games\xcom2\binaries\win64\xcom2.exe => No File FirewallRules: [UDP Query User{E8E18AC7-5A1F-45F4-BA78-3C0A8CB8832C}C:\program files\epic games\xcom2\binaries\win64\xcom2.exe] => (Allow) C:\program files\epic games\xcom2\binaries\win64\xcom2.exe => No File FirewallRules: [TCP Query User{AF6CFA9B-E540-40C2-B268-B5622170F0CE}C:\program files (x86)\steam\steamapps\common\grounded2\augusta\binaries\wingrts\grounded2-wingrts-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\grounded2\augusta\binaries\wingrts\grounded2-wingrts-shipping.exe => No File FirewallRules: [UDP Query User{2C3B9A01-B522-4AE1-905E-057CD7D9F26A}C:\program files (x86)\steam\steamapps\common\grounded2\augusta\binaries\wingrts\grounded2-wingrts-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\grounded2\augusta\binaries\wingrts\grounded2-wingrts-shipping.exe => No File FirewallRules: [TCP Query User{69232AD3-5C9F-4ACD-88AC-DD379BD9C28D}C:\program files (x86)\steam\steamapps\common\glacier events\bf6event.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [UDP Query User{81DE6C68-CF46-45F4-8B43-87764089E418}C:\program files (x86)\steam\steamapps\common\glacier events\bf6event.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [TCP Query User{4338DEDC-5D88-425D-A8F7-6F64E6F52565}C:\users\justinb\downloads\immoral-bathhouse\immoral-bathhouse.exe] => (Allow) C:\users\justinb\downloads\immoral-bathhouse\immoral-bathhouse.exe => No File FirewallRules: [UDP Query User{10272282-808B-4545-B9E4-BDFCBF51D982}C:\users\justinb\downloads\immoral-bathhouse\immoral-bathhouse.exe] => (Allow) C:\users\justinb\downloads\immoral-bathhouse\immoral-bathhouse.exe => No File Folder: C:\Users\JustinB\AppData\Roaming\WinRAR StartPowerShell: # Enable real-time protection Set-MpPreference -DisableRealtimeMonitoring $false # Enable behavioural protection Set-MpPreference -DisableBehaviorMonitoring $false # Enable PUP detection Set-MpPreference -PUAProtection Enabled # Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default Set-MpPreference -CloudBlockLevel 4 # Send advanced information about malicious/unwanted software present on your device Set-MpPreference -MAPSReporting 2 # Send safe samples automatically to Microsoft Set-MpPreference -SubmitSamplesConsent 1 # Enables inspection of HTTP traffic to detect malicious websites Set-MpPreference -EnableNetworkProtection Enabled # Enables block at first seen Set-MpPreference -DisableBlockAtFirstSeen $false # Allows scanning of archive files, such as .zip and .cab files for malware/PUP Set-MpPreference -DisableArchiveScanning $false # Enables automatic scanning of USB & removal drives Set-MpPreference -DisableRemovableDriveScanning $false # Enables scanning of network files Set-MpPreference -DisableScanningNetworkFiles $false # Forces signature check before running a scan Set-MpPreference -CheckForSignaturesBeforeRunningScan $true # Extends cloud check timer from default 10 to 30 seconds Set-MpPreference -CloudExtendedTimeout 30 # Enables automatic scanning of all downloaded files and attachments Set-MpPreference -DisableIOAVProtection $false # Enables script detection Set-MpPreference -DisableScriptScanning $false # Disables automatic exclusions from scanning Set-MpPreference -DisableAutoExclusions 1 # Enables scanning of mapped network drives Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0 # Enables scanning of email files Set-MpPreference -DisableEmailScanning 0 # Enables blocking of malicious domains and IP's on DNS level Set-MpPreference -EnableDnsSinkhole $true # Enables signature updates every 12 hours Set-MpPreference -SignatureUpdateInterval 12 # Enables automatic quarantine for threats labelled as high and severe Set-MpPreference -HighThreatDefaultAction Quarantine Set-MpPreference -SevereThreatDefaultAction Quarantine # Updates signatures Update-MpSignature EndPowerShell: StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::