Malware Log Analysis

Start:: CloseProcesses: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003\...\Run: [WindowsPowerShell_v1.0 CL_NCL] => conhost.exe --headless powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "" (No File) <==== ATTENTION Startup: C:\Users\shawk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CtrlServer_32_ent.lnk [2026-04-10] 2026-05-11 00:49 - 2025-05-12 02:56 - 000000000 ____D C:\Users\shawk\AppData\Roaming\RenPy CustomCLSID: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003_Classes\CLSID\{6221253f-758c-cb86-b783-b38510669e98}\localserver32 -> "C:\Users\shawk\Downloads\DeskFrame.exe" -ToastActivated => No File CustomCLSID: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003_Classes\CLSID\{6881D175-2B22-4526-80DB-1B417BBC68A0}\localserver32 -> "c:\program files\musehub\current\musehub.exe" ----AppNotificationActivated: => No File CustomCLSID: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003_Classes\CLSID\{9BE266B4-A97C-486E-B993-EAEBAA798D69}\localserver32 -> "C:\Users\shawk\AppData\Local\Microsoft\OneDrive\26.026.0209.0004_1\FileCoAuth.exe" => No File CustomCLSID: HKU\S-1-5-21-2483020318-1338836712-4241384903-1003_Classes\CLSID\{FB9F2279-E6A0-4475-B239-228423181ADA}\localserver32 -> "d:\steamlibrary\steamapps\common\vrcfacetracking\vrcfacetracking.exe" ----AppNotificationActivated: => No File AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8022] FirewallRules: [{5307E094-A8A8-4725-9B57-8A1233C4888F}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{091D8FF2-E067-4274-B9D7-433CB986F9CA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{798DAAF0-853A-4098-A740-B7FC39E4E66E}D:\games\call of duty\content\cod.exe] => (Allow) D:\games\call of duty\content\cod.exe => No File FirewallRules: [UDP Query User{D67FEF44-0195-4872-806C-A18297D82F08}D:\games\call of duty\content\cod.exe] => (Allow) D:\games\call of duty\content\cod.exe => No File FirewallRules: [TCP Query User{28A95A81-A47D-4EDA-9347-B78697AB400B}F:\downloads\inzoi-insaneramzes\blueclient\binaries\win64\inzoi-win64-shipping.exe] => (Allow) F:\downloads\inzoi-insaneramzes\blueclient\binaries\win64\inzoi-win64-shipping.exe => No File FirewallRules: [UDP Query User{8DA99041-AAA6-4F11-A4B3-26E767862CE4}F:\downloads\inzoi-insaneramzes\blueclient\binaries\win64\inzoi-win64-shipping.exe] => (Allow) F:\downloads\inzoi-insaneramzes\blueclient\binaries\win64\inzoi-win64-shipping.exe => No File FirewallRules: [TCP Query User{38FC6DC7-1811-41BF-9E2D-580F0D0356B5}F:\games\ue_5.5\engine\binaries\win64\unrealeditor.exe] => (Allow) F:\games\ue_5.5\engine\binaries\win64\unrealeditor.exe => No File FirewallRules: [UDP Query User{00F6560D-0116-4693-BB98-FE9EC50087D4}F:\games\ue_5.5\engine\binaries\win64\unrealeditor.exe] => (Allow) F:\games\ue_5.5\engine\binaries\win64\unrealeditor.exe => No File FirewallRules: [TCP Query User{8F8587BD-F368-4579-B92E-97253BDDC4CE}D:\games\call of duty\content\cod.exe] => (Allow) D:\games\call of duty\content\cod.exe => No File FirewallRules: [UDP Query User{53BCF7B8-9A0A-477E-9D29-2326DC464BA8}D:\games\call of duty\content\cod.exe] => (Allow) D:\games\call of duty\content\cod.exe => No File FirewallRules: [TCP Query User{68EAADEB-8777-41EF-AC55-07DF4BD77307}G:\xbox games\grand theft auto v enhanced\content\gta5_enhanced.exe] => (Allow) G:\xbox games\grand theft auto v enhanced\content\gta5_enhanced.exe => No File FirewallRules: [UDP Query User{817ADEAE-16DA-4685-B444-3B10F3584D00}G:\xbox games\grand theft auto v enhanced\content\gta5_enhanced.exe] => (Allow) G:\xbox games\grand theft auto v enhanced\content\gta5_enhanced.exe => No File FirewallRules: [TCP Query User{E16C1424-5C02-4746-8C19-1563408EC67B}G:\xbox games\the elder scrolls iv- oblivion remastered\content\oblivionremastered\binaries\wingdk\oblivionremastered-wingdk-shipping.exe] => (Allow) G:\xbox games\the elder scrolls iv- oblivion remastered\content\oblivionremastered\binaries\wingdk\oblivionremastered-wingdk-shipping.exe => No File FirewallRules: [UDP Query User{7A78F01C-3185-418A-9D38-5E97BA66A7D4}G:\xbox games\the elder scrolls iv- oblivion remastered\content\oblivionremastered\binaries\wingdk\oblivionremastered-wingdk-shipping.exe] => (Allow) G:\xbox games\the elder scrolls iv- oblivion remastered\content\oblivionremastered\binaries\wingdk\oblivionremastered-wingdk-shipping.exe => No File FirewallRules: [TCP Query User{6B1AD8D7-C3EA-4784-8F19-77813A7FC63D}F:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) F:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File FirewallRules: [UDP Query User{28369660-0D16-45F2-A1F4-017AD54EAF5B}F:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) F:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File FirewallRules: [TCP Query User{A75039C0-5D12-44F4-9A7E-3E8112F44F60}G:\xbox games\clair obscur- expedition 33\content\sandfall\binaries\wingdk\sandfall-wingdk-shipping.exe] => (Allow) G:\xbox games\clair obscur- expedition 33\content\sandfall\binaries\wingdk\sandfall-wingdk-shipping.exe => No File FirewallRules: [UDP Query User{BFEC1AB8-23BE-426E-84E4-FD8B266EE5AC}G:\xbox games\clair obscur- expedition 33\content\sandfall\binaries\wingdk\sandfall-wingdk-shipping.exe] => (Allow) G:\xbox games\clair obscur- expedition 33\content\sandfall\binaries\wingdk\sandfall-wingdk-shipping.exe => No File FirewallRules: [TCP Query User{62D1A5BD-F728-4B09-AD10-B153A5EB7E71}D:\steamlibrary\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe] => (Allow) D:\steamlibrary\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe => No File FirewallRules: [UDP Query User{8F3711ED-E756-4508-AFF6-BDD2D7BB785E}D:\steamlibrary\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe] => (Allow) D:\steamlibrary\steamapps\common\star wars battlefront ii\starwarsbattlefrontii.exe => No File FirewallRules: [TCP Query User{D53B7EB5-7910-4B95-8428-2E752A792ED9}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\webviewsupport.cef904430\render.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\webviewsupport.cef904430\render.exe => No File FirewallRules: [UDP Query User{9234B9F2-DED5-4D30-8530-89B59A2839DC}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\webviewsupport.cef904430\render.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\webviewsupport.cef904430\render.exe => No File FirewallRules: [{DE54EEF4-9316-487D-9BE9-8FABE3726C53}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe => No File FirewallRules: [TCP Query User{96022117-7909-4D8F-8BCA-6B6D94F9859F}C:\xboxgames\retro classics\content\retroclassics.exe] => (Block) C:\xboxgames\retro classics\content\retroclassics.exe => No File FirewallRules: [UDP Query User{E93D46B4-B58F-4C28-81D3-DF323F1190AD}C:\xboxgames\retro classics\content\retroclassics.exe] => (Block) C:\xboxgames\retro classics\content\retroclassics.exe => No File FirewallRules: [{6B50C3AF-34E2-4868-8174-FCBCFABD8B97}] => (Allow) D:\Games\Splitgate 2\Content\PortalWars2\Binaries\WinGDK\PortalWars2Client-WinGDK-Shipping.exe => No File FirewallRules: [{3B58BFAC-0D69-461B-84BB-EC98DA6C95A4}] => (Allow) D:\Games\Splitgate 2\Content\PortalWars2\Binaries\WinGDK\PortalWars2Client-WinGDK-Shipping.exe => No File FirewallRules: [TCP Query User{EA97E902-FD51-4C65-9AF9-43AB1E7CF789}D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File FirewallRules: [UDP Query User{D5E98DDD-D8C6-4C8D-8F3F-65993E564601}D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe] => (Allow) D:\steamlibrary\steamapps\common\baldurs gate 3\bin\bg3_dx11.exe => No File FirewallRules: [TCP Query User{4C3F8207-3AD3-4D86-B4F2-4B7714D02005}D:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) D:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [UDP Query User{B7010FA9-B374-4957-AB36-8B003312A43B}D:\steamlibrary\steamapps\common\glacier events\bf6event.exe] => (Allow) D:\steamlibrary\steamapps\common\glacier events\bf6event.exe => No File FirewallRules: [TCP Query User{FF46E3A3-9785-4F86-8FBF-22E45B1927FA}C:\program files\ea games\battlefield 2042\bf2042.exe] => (Allow) C:\program files\ea games\battlefield 2042\bf2042.exe => No File FirewallRules: [UDP Query User{20329D5B-65A6-4FC3-858F-966828A2BC19}C:\program files\ea games\battlefield 2042\bf2042.exe] => (Allow) C:\program files\ea games\battlefield 2042\bf2042.exe => No File FirewallRules: [TCP Query User{CD1C39FF-BD6E-42A1-9BD4-9EB97D422B3F}F:\games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Block) F:\games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [UDP Query User{FAADB6E3-9191-42EF-AAFE-A21415F61334}F:\games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Block) F:\games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [TCP Query User{7D51E070-2332-4639-B0AC-3F629695B513}C:\users\shawk\onedrive\desktop\driver4vr\driver4vr-5.14\driver4vr_osc.exe] => (Allow) C:\users\shawk\onedrive\desktop\driver4vr\driver4vr-5.14\driver4vr_osc.exe => No File FirewallRules: [UDP Query User{34B2052B-E348-415A-8462-157AFE888966}C:\users\shawk\onedrive\desktop\driver4vr\driver4vr-5.14\driver4vr_osc.exe] => (Allow) C:\users\shawk\onedrive\desktop\driver4vr\driver4vr-5.14\driver4vr_osc.exe => No File FirewallRules: [TCP Query User{D5B7F239-6111-4554-8963-B90E18C0F179}F:\games\hogwarts legacy\content\phoenix\binaries\wingdk\hogwartslegacy.exe] => (Allow) F:\games\hogwarts legacy\content\phoenix\binaries\wingdk\hogwartslegacy.exe => No File FirewallRules: [UDP Query User{09E5B991-CCB6-4A3F-9BB8-8D60AA919C3B}F:\games\hogwarts legacy\content\phoenix\binaries\wingdk\hogwartslegacy.exe] => (Allow) F:\games\hogwarts legacy\content\phoenix\binaries\wingdk\hogwartslegacy.exe => No File FirewallRules: [{76AEDA25-DDFB-4872-ADFE-81EF278359FC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SteamVR\bin\win32\vrserver.exe => No File FirewallRules: [TCP Query User{863DAF4A-64E0-4CF7-9933-55A45F387EDB}C:\xboxgames\kill it with fire 2\content\kani\binaries\wingdk\kani-wingdk-shipping.exe] => (Allow) C:\xboxgames\kill it with fire 2\content\kani\binaries\wingdk\kani-wingdk-shipping.exe => No File FirewallRules: [UDP Query User{C8933F93-7478-464F-878E-1A59852C8BE9}C:\xboxgames\kill it with fire 2\content\kani\binaries\wingdk\kani-wingdk-shipping.exe] => (Allow) C:\xboxgames\kill it with fire 2\content\kani\binaries\wingdk\kani-wingdk-shipping.exe => No File FirewallRules: [TCP Query User{64837A7C-9C9A-41EC-81CA-A652815CBE17}C:\users\shawk\appdata\local\tikfinity\app-1.0.4\tikfinity.exe] => (Allow) C:\users\shawk\appdata\local\tikfinity\app-1.0.4\tikfinity.exe => No File FirewallRules: [UDP Query User{C23C091C-6115-4F32-B35E-20B38B9F7E73}C:\users\shawk\appdata\local\tikfinity\app-1.0.4\tikfinity.exe] => (Allow) C:\users\shawk\appdata\local\tikfinity\app-1.0.4\tikfinity.exe => No File FirewallRules: [TCP Query User{684E1D22-A03C-4696-92F2-EFCE720CC904}D:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe] => (Allow) D:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe => No File FirewallRules: [UDP Query User{3D0A465C-1367-4FED-B6BE-6241397BE34C}D:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe] => (Allow) D:\steamlibrary\steamapps\common\arc raiders\pioneergame\binaries\win64\pioneergame.exe => No File FirewallRules: [{68E7100D-63C9-4CA8-A885-5080FC49DD24}] => (Allow) C:\Program Files (x86)\EaseUS\VoiceWave\bin\easeus.voicewave.exe => No File FirewallRules: [{49083BC5-6FF5-4F6C-AA59-2AACD5F0F387}] => (Allow) C:\Program Files (x86)\EaseUS\VoiceWave\bin\easeus.evw.vchanger.exe => No File FirewallRules: [TCP Query User{D56B9135-A3EA-4523-B7BA-E1873B3B3A8D}C:\users\shawk\onedrive\desktop\vrc avatar files\driver4vr\driver4vr-5.14\driver4vr_osc.exe] => (Allow) C:\users\shawk\onedrive\desktop\vrc avatar files\driver4vr\driver4vr-5.14\driver4vr_osc.exe => No File FirewallRules: [UDP Query User{1A3232CF-85FA-4C67-A61B-617101ACC440}C:\users\shawk\onedrive\desktop\vrc avatar files\driver4vr\driver4vr-5.14\driver4vr_osc.exe] => (Allow) C:\users\shawk\onedrive\desktop\vrc avatar files\driver4vr\driver4vr-5.14\driver4vr_osc.exe => No File FirewallRules: [TCP Query User{CA816196-C723-4B70-B4AC-85DB7ACCF24D}C:\users\shawk\onedrive\desktop\vcc client\dist\main\main.exe] => (Allow) C:\users\shawk\onedrive\desktop\vcc client\dist\main\main.exe => No File FirewallRules: [UDP Query User{B448B553-B76A-4A82-A328-2A5B3076515C}C:\users\shawk\onedrive\desktop\vcc client\dist\main\main.exe] => (Allow) C:\users\shawk\onedrive\desktop\vcc client\dist\main\main.exe => No File FirewallRules: [TCP Query User{77E36800-6A44-467C-9E43-422ECC159499}C:\users\shawk\onedrive\desktop\vcc client\mmvcserversio\mmvcserversio.exe] => (Allow) C:\users\shawk\onedrive\desktop\vcc client\mmvcserversio\mmvcserversio.exe => No File FirewallRules: [UDP Query User{EE46A9B6-26DB-4BC9-93F8-7D1C568AC009}C:\users\shawk\onedrive\desktop\vcc client\mmvcserversio\mmvcserversio.exe] => (Allow) C:\users\shawk\onedrive\desktop\vcc client\mmvcserversio\mmvcserversio.exe => No File FirewallRules: [TCP Query User{1A0DDA3C-96B6-4D18-9375-7B43EF255AA7}C:\users\shawk\onedrive\desktop\hytale\package\game\latest\client\hytaleclient.exe] => (Allow) C:\users\shawk\onedrive\desktop\hytale\package\game\latest\client\hytaleclient.exe => No File FirewallRules: [UDP Query User{85C550CE-73A9-4685-9053-C1378DC369FE}C:\users\shawk\onedrive\desktop\hytale\package\game\latest\client\hytaleclient.exe] => (Allow) C:\users\shawk\onedrive\desktop\hytale\package\game\latest\client\hytaleclient.exe => No File FirewallRules: [{29b420c6-39ae-4761-8001-662b2227af89}] => (Allow) C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe => No File FirewallRules: [{6130a4e2-e7b6-44d8-9b03-6322d539c607}] => (Allow) C:\Program Files\ldplayer9box\VBoxNetNAT.exe => No File FirewallRules: [{2E1D40DA-3E39-42E4-81E4-C94B4543498D}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.12.0\TikTok LIVE Studio.exe => No File FirewallRules: [{BDD6294F-683C-4672-8AD5-C2888F9253B6}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.12.0\TikTok LIVE Studio.exe => No File FirewallRules: [{92D11577-D819-4C9C-B9C8-3D35E6CC70A2}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.19.8\TikTok LIVE Studio.exe => No File FirewallRules: [{0CB0FBB2-DCE6-4400-86D0-50C7A050ED02}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.19.8\TikTok LIVE Studio.exe => No File FirewallRules: [{A8205BD6-BDD7-4803-A9BC-E7FC0027A824}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.18.6\TikTok LIVE Studio.exe => No File FirewallRules: [{B8A4B26D-662A-4A04-8C09-6C00E692B8E5}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.18.6\TikTok LIVE Studio.exe => No File FirewallRules: [{FB0CFDEB-780F-40A0-A659-CF8A2485A0D4}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.18.8\TikTok LIVE Studio.exe => No File FirewallRules: [{B9AB7F00-9E9C-46FD-92FE-C658F322EC89}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.18.8\TikTok LIVE Studio.exe => No File FirewallRules: [{1072279C-1BE7-49D3-A815-945A13C62041}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.19.9\TikTok LIVE Studio.exe => No File FirewallRules: [{161F7625-82E0-4395-B1E6-911CB2F89F2C}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.19.9\TikTok LIVE Studio.exe => No File FirewallRules: [{68C45901-5818-4F34-AEC2-9B4125123F58}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.22.2\TikTok LIVE Studio.exe => No File FirewallRules: [{5DC0B289-5907-42D1-8D7B-7817FD679EE9}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.22.2\TikTok LIVE Studio.exe => No File FirewallRules: [{49031852-7960-4CB5-8A66-4EF6D841BA84}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.21.4\TikTok LIVE Studio.exe => No File FirewallRules: [{24D68F70-5EF3-4958-A1A5-C24DEB4AFDA6}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.21.4\TikTok LIVE Studio.exe => No File FirewallRules: [TCP Query User{8480874C-054F-45BF-9646-5A6203BCE138}F:\games\resident evil requiem\re9.exe] => (Block) F:\games\resident evil requiem\re9.exe => No File FirewallRules: [UDP Query User{8FE212BA-6748-485B-AFB2-25EBE1FF1979}F:\games\resident evil requiem\re9.exe] => (Block) F:\games\resident evil requiem\re9.exe => No File FirewallRules: [{5CC5FC19-E77A-46B5-9883-BC462F3A660E}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.23.2\TikTok LIVE Studio.exe => No File FirewallRules: [{217F019D-A8C4-487E-9FEA-63843FA631A6}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.23.2\TikTok LIVE Studio.exe => No File FirewallRules: [{275506C5-CD04-4893-A70A-9AA243663A0E}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.25.4\TikTok LIVE Studio.exe => No File FirewallRules: [{ACAB7DB4-D2A1-4514-A811-17CEC3C10958}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.25.4\TikTok LIVE Studio.exe => No File FirewallRules: [TCP Query User{1053D64D-77F2-492B-8B92-06520D748DDB}C:\users\shawk\appdata\local\discord\app-1.0.9234\discord.exe] => (Allow) C:\users\shawk\appdata\local\discord\app-1.0.9234\discord.exe => No File FirewallRules: [UDP Query User{5A663D0B-08DE-4235-BCFD-0C1082A6A876}C:\users\shawk\appdata\local\discord\app-1.0.9234\discord.exe] => (Allow) C:\users\shawk\appdata\local\discord\app-1.0.9234\discord.exe => No File FirewallRules: [TCP Query User{92911CE9-C14F-499D-B4FC-A64721A91457}C:\program files\streamlabs obs\resources\app.asar.unpacked\node_modules\obs-studio-node\obs64.exe] => (Allow) C:\program files\streamlabs obs\resources\app.asar.unpacked\node_modules\obs-studio-node\obs64.exe => No File FirewallRules: [UDP Query User{74462141-6C40-43BD-853E-67B2D3FDFA09}C:\program files\streamlabs obs\resources\app.asar.unpacked\node_modules\obs-studio-node\obs64.exe] => (Allow) C:\program files\streamlabs obs\resources\app.asar.unpacked\node_modules\obs-studio-node\obs64.exe => No File FirewallRules: [{9FC163B8-8521-464D-A62C-E96B459711E2}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.26.0\TikTok LIVE Studio.exe => No File FirewallRules: [{8998868C-62D7-4566-A1CB-629661B86892}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.26.0\TikTok LIVE Studio.exe => No File FirewallRules: [TCP Query User{BC6039E9-53BF-48C8-9378-AD2D08DC8239}C:\users\shawk\appdata\local\discord\app-1.0.9235\discord.exe] => (Block) C:\users\shawk\appdata\local\discord\app-1.0.9235\discord.exe => No File FirewallRules: [UDP Query User{C0A870EC-0824-4D30-BD29-7AB8F10E36CF}C:\users\shawk\appdata\local\discord\app-1.0.9235\discord.exe] => (Block) C:\users\shawk\appdata\local\discord\app-1.0.9235\discord.exe => No File FirewallRules: [TCP Query User{BA3965E3-8DAD-45D4-B7A6-C029CD91BA65}C:\users\shawk\onedrive\desktop\vmt\vmt_manager\vmt_manager.exe] => (Allow) C:\users\shawk\onedrive\desktop\vmt\vmt_manager\vmt_manager.exe => No File FirewallRules: [UDP Query User{3FBBA871-29D1-4FDE-B2BB-DFC68E9FA388}C:\users\shawk\onedrive\desktop\vmt\vmt_manager\vmt_manager.exe] => (Allow) C:\users\shawk\onedrive\desktop\vmt\vmt_manager\vmt_manager.exe => No File FirewallRules: [TCP Query User{1E856DD1-7295-4DD5-BF48-09C7EE5A0234}C:\users\shawk\onedrive\desktop\speakerbot\speaker.bot.exe] => (Allow) C:\users\shawk\onedrive\desktop\speakerbot\speaker.bot.exe => No File FirewallRules: [UDP Query User{D009BC9E-82E3-411D-93A5-8B432555F3B7}C:\users\shawk\onedrive\desktop\speakerbot\speaker.bot.exe] => (Allow) C:\users\shawk\onedrive\desktop\speakerbot\speaker.bot.exe => No File FirewallRules: [{198B524B-F302-478D-835C-980E4912D134}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File FirewallRules: [{5F842A1A-253A-4FF4-B98A-EF174C0F55F8}] => (Allow) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File FirewallRules: [{7D2A3EDF-857E-4BE7-902D-0ED0E26C5830}] => (Block) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File FirewallRules: [{544DAA68-858E-4622-B7C0-DC35590BAF3C}] => (Block) C:\Program Files (x86)\Overwolf\0.296.3.3\OverwolfBrowser.exe => No File FirewallRules: [TCP Query User{A8BD0016-71BD-4822-A307-8D4996A2D7A2}C:\users\shawk\appdata\local\discord\app-1.0.9237\discord.exe] => (Block) C:\users\shawk\appdata\local\discord\app-1.0.9237\discord.exe => No File FirewallRules: [UDP Query User{7B400A18-5736-4FB7-9E2D-4D464FD29FF0}C:\users\shawk\appdata\local\discord\app-1.0.9237\discord.exe] => (Block) C:\users\shawk\appdata\local\discord\app-1.0.9237\discord.exe => No File FirewallRules: [TCP Query User{DB062400-A953-4D44-8900-49B27E835BE8}D:\games\subnautica 2\subnautica2\binaries\win64\subnautica2-win64-shipping.exe] => (Block) D:\games\subnautica 2\subnautica2\binaries\win64\subnautica2-win64-shipping.exe => No File FirewallRules: [UDP Query User{6ED222D6-9123-42CD-82F6-AE5274610129}D:\games\subnautica 2\subnautica2\binaries\win64\subnautica2-win64-shipping.exe] => (Block) D:\games\subnautica 2\subnautica2\binaries\win64\subnautica2-win64-shipping.exe => No File FirewallRules: [{CC4ECA1D-7B44-4783-8EA7-92B28A419336}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.27.0\TikTok LIVE Studio.exe => No File FirewallRules: [{079BA4D2-FAA8-41EC-A81A-8058265CA3F1}] => (Allow) C:\Program Files\TikTok LIVE Studio\1.27.0\TikTok LIVE Studio.exe => No File HKLM\...\Run: [Cortana] => [X] HKLM\...\Run: [DubbingAI] => "C:\Program Files\DubbingAI\DubbingAI.exe" -AutoStart (No File) HKLM-x32\...\RunOnce: [usbfltrb] => [X] HKU\S-1-5-21-2483020318-1338836712-4241384903-1003\...\MountPoints2: {279799d1-572e-11f1-8671-e8473aeb86c0} - "H:\Autoplay.exe" -auto ShortcutTarget: CtrlServer_32_ent.lnk -> C:\ProgramData\webshield\InfoAggregator.exe (No File) Task: {8C747574-0CBB-4E21-A87F-CFC4903D9417} - System32\Tasks\Login Auto Start Dubbing Task => C:\Program Files\DubbingAI\DubbingAI.exe -AutoStart (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) FF Plugin: @videolan.org/vlc,version=3.0.21 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File] S3 AppShellElevationService; "C:\Program Files\TikTok LIVE Studio\1.12.0\elevation_service.exe" (No File) S3 cpuz159; \??\C:\Windows\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File) U4 npcap_wifi; no ImagePath 2026-05-16 02:29 - 2026-05-16 02:29 - 000000000 ____D C:\Users\shawk\AppData\Local\22bfc34d90b64054809542014fc9eb32 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION Folder: C:\Users\shawk\AppData\Local\app_shell_cache_8311 2026-05-26 21:39 - 2026-05-26 21:39 - 000000000 ____D C:\Users\shawk\AppData\Local\app_shell_cache_8311 StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code. Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::