Malware Log Analysis

Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: Startup: C:\Users\INFINIX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firewall_db.lnk [2026-05-05] <==== ATTENTION Startup: C:\Users\INFINIX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srvvpn.lnk [2026-05-05] <==== ATTENTION ShortcutTarget: srvvpn.lnk -> C:\Users\INFINIX\AppData\Local\Temp\tmp-66500-xv6I6UdoXX3x\u0RBYRWf7.exe (Beijing Duyou Science and Technology Co.,Ltd. -> Baidu.com, Inc.) <==== ATTENTION C:\Users\INFINIX\AppData\Local\Temp\tmp-66500-xv6I6UdoXX3x ShortcutTarget: firewall_db.lnk -> C:\Users\INFINIX\AppData\Local\Temp\tmp-84344-ADuRrVc1V5ju\XDVpbW9qg.exe (Beijing Duyou Science and Technology Co.,Ltd. -> Baidu.com, Inc.) <==== ATTENTION C:\Users\INFINIX\AppData\Local\Temp\tmp-84344-ADuRrVc1V5ju Task: {CF93A261-EED8-44C3-8BCB-4AED75E9F566} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem47.0.7703.CL_NCL_35d4220d8b8adc80{47263A17-2D66-43B9-9692-56314D0C1AEC} => C:\WINDOWS\system32\conhost.exe [1003520 2026-04-18] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aQBmACgAIQAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAG0AYwBiAHUAaQBsAGQAZQByACwAbQBmAHAAbQBwACAALQBFAEEAIAAwACkAKQB7AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgADEAOQAzAC (the data entry has 150 more characters). <==== ATTENTION Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) Task: {B0C13B1E-F043-49D4-9CF9-35B181534A7B} - System32\Tasks\Google Compatibility Appraiser CL_NCL_35d4220d8b8adc80 => C:\WINDOWS\system32\conhost.exe [1003520 2026-04-18] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aQBmACgAIQAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAG0AYwBiAHUAaQBsAGQAZQByACwAbQBmAHAAbQBwACAALQBFAEEAIAAwACkAKQB7AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgADEAOQAzAC (the data entry has 150 more characters). <==== ATTENTION 2026-05-05 17:08 - 2026-05-06 03:30 - 000004750 _____ C:\WINDOWS\system32\Tasks\Google Compatibility Appraiser CL_NCL_35d4220d8b8adc80 2026-05-05 17:07 - 2026-05-05 17:07 - 000148552 _____ (360.cn) C:\ProgramData\AxisVerifie.exe 2026-05-05 17:07 - 2026-05-06 16:04 - 000000000 ____D C:\ProgramData\AuthenticateControl 2026-05-05 17:07 - 2026-05-05 17:07 - 000000000 ____D C:\Users\INFINIX\AppData\Roaming\AuthenticateControl 2026-05-05 16:58 - 2026-02-17 17:27 - 000104448 ____N C:\Users\INFINIX\Downloads\Setup.exe 2026-05-05 16:58 - 2026-02-17 17:27 - 000008944 ____N C:\Users\INFINIX\Downloads\Setup.py 2026-05-05 17:07 - 2026-05-05 17:07 - 000148552 _____ (360.cn) C:\ProgramData\AxisVerifie.exe 2026-05-03 12:18 - 2026-05-03 12:18 - 000000000 ____D C:\Users\INFINIX\AppData\LocalLow\SKS 2026-04-24 04:50 - 2026-04-24 15:36 - 000000000 ___HD C:\WINDOWS\msdownld.tmp 2026-05-05 18:22 - 2026-05-06 16:04 - 000000000 ____D C:\ProgramData\resthost 2026-05-05 18:22 - 2026-05-05 18:22 - 000000000 ____D C:\Users\INFINIX\AppData\Roaming\resthost 2026-05-05 17:07 - 2026-05-05 17:07 - 000000000 ____D C:\Users\INFINIX\AppData\Roaming\RenPy FirewallRules: [TCP Query User{3B465492-36FA-4EFF-8757-06E6C6BA91AE}C:\games\the forest (m4ckd0ge repack)\theforest.exe] => (Allow) C:\games\the forest (m4ckd0ge repack)\theforest.exe => No File FirewallRules: [UDP Query User{D3ABFD79-76EA-44B7-89C6-13B07A54D99A}C:\games\the forest (m4ckd0ge repack)\theforest.exe] => (Allow) C:\games\the forest (m4ckd0ge repack)\theforest.exe => No File StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* EmptyTemp: End::