Malware Log Analysis

Start:: CreateRestorePoint: CloseProcesses: (svchost.exe ->) (combit Software GmbH -> combit GmbH) C:\Users\Ian\uu.exe\cxMP21.exe HKU\S-1-5-21-3825509930-1980851130-96655764-1001\...\Run: [combit MX Cross-Bitness Broker] => C:\Users\Ian\uu.exe\cxMP21.exe [265880 2026-05-04] (combit Software GmbH -> combit GmbH) <==== ATTENTION Task: {BBE7B4FE-BA70-46A3-9934-966446A578D9} - System32\Tasks\combit MX Cross-Bitness Broker => C:\Users\Ian\uu.exe\cxMP21.exe [265880 2026-05-04] (combit Software GmbH -> combit GmbH) <==== ATTENTION 2026-05-04 02:07 - 2026-05-04 02:07 - 000000000 ____D C:\Users\Ian\AppData\Local\Yandex 2026-05-04 02:06 - 2026-05-05 16:30 - 000000000 ____D C:\Users\Ian\uu.exe 2026-05-04 02:31 - 2026-03-24 17:19 - 000000000 ____D C:\Users\Ian\AppData\Roaming\RenPy HKU\S-1-5-21-3825509930-1980851130-96655764-1001\...\MountPoints2: {c098b86a-3e2e-11f1-9d81-502e91093a8d} - "D:\Autorun.exe" Task: {4A93D443-6054-49D1-B155-767134440098} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S0 WinSetupMon; system32\DRIVERS\WinSetupMon.sys (No File) CustomCLSID: HKU\S-1-5-21-3825509930-1980851130-96655764-1001_Classes\CLSID\{3E89DB6D-F5E8-4B01-B65D-3B292B200003}\localserver32 -> "c:\program files\alienware\alienware command center\utilities\aw.notificationutility\aw.notificationutility.exe" ----AppNotificationActivated: => No File AlternateDataStreams: C:\Users\Ian\Downloads\EpicInstaller-19.2.3-d4a7ccb3fb4f4861adb166392ddbef21.exe:MBAM.Zone.Identifier [564] AlternateDataStreams: C:\Users\Ian\Downloads\FRST64.exe:MBAM.Zone.Identifier [450] AlternateDataStreams: C:\Users\Ian\Downloads\HitmanPro_x64.exe:MBAM.Zone.Identifier [234] FirewallRules: [{963EE0C5-1D10-4150-9FE1-2BD11D5A4721}] => (Allow) C:\Users\Ian\AppData\Local\Temp\ACFL20260131225751\ACSetup\ACSetup.exe => No File FirewallRules: [{65D97516-917A-46AE-8117-13036F05245F}] => (Allow) C:\Users\Ian\AppData\Local\Temp\ACFL20260131225751\ACSetup\ACSetup.exe => No File FirewallRules: [TCP Query User{6C50A995-242E-4B98-9EEF-EC4B6224E4CA}C:\users\ian\appdata\local\discord\app-1.0.9229\discord.exe] => (Block) C:\users\ian\appdata\local\discord\app-1.0.9229\discord.exe => No File FirewallRules: [UDP Query User{E4316997-9A2D-490E-8271-E2581CB9A43E}C:\users\ian\appdata\local\discord\app-1.0.9229\discord.exe] => (Block) C:\users\ian\appdata\local\discord\app-1.0.9229\discord.exe => No File FirewallRules: [{150E2557-B9D5-44EC-95B6-312C0B9291E1}] => (Allow) C:\Users\Ian\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{868D7323-E0AD-4A00-96D7-E568C40C8E12}] => (Allow) C:\Users\Ian\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File 2026-05-04 02:22 - 2026-05-04 02:22 - 000003404 _____ C:\WINDOWS\system32\Tasks\combit MX Cross-Bitness Broker 2026-05-04 02:05 - 2026-05-04 02:05 - 000000000 ____D C:\Users\Ian\AppData\Roaming\iot_core 2026-05-04 02:05 - 2026-05-04 02:05 - 000249168 _____ (PortableApps.com) C:\ProgramData\PulseC128.exe 2026-05-04 02:05 - 2026-05-05 15:54 - 000000000 ____D C:\ProgramData\iot_core StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::