Malware Log Analysis

Start:: CloseProcesses: 2026-05-23 18:22 - 2026-05-23 18:22 - 000000000 ____D C:\Users\Admin\AppData\Roaming\RenPy AlternateDataStreams: C:\WINDOWS\tracing:? [16] AlternateDataStreams: C:\Users\Admin\Downloads\FRST64.exe:MBAM.Zone.Identifier [450] FirewallRules: [TCP Query User{5D92EFEF-27EE-45D5-A080-D73A76A87EBE}K:\sdi_rus\sdi_x64_r2503.exe] => (Allow) K:\sdi_rus\sdi_x64_r2503.exe => No File FirewallRules: [UDP Query User{B0E3ADFA-90B1-4431-A80B-D131D553B200}K:\sdi_rus\sdi_x64_r2503.exe] => (Allow) K:\sdi_rus\sdi_x64_r2503.exe => No File FirewallRules: [{B0725B1A-50AD-4421-998B-2FFD837B5A96}] => (Allow) G:\Program Files (x86)\Steam\steam.exe => No File FirewallRules: [{185CEDF5-0528-4377-8C94-439EA26FAB9B}] => (Allow) G:\Program Files (x86)\Steam\steam.exe => No File FirewallRules: [{4FE598FD-4E97-4DD0-9816-2D2A3C0D9BEA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{C983F9C3-F1E5-404B-96F7-CFF912D4F090}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{E094B628-0DEC-4C9F-A739-46C7BBECA00D}] => (Allow) J:\SteamLibrary\steamapps\common\Starfield\Starfield.exe => No File FirewallRules: [{D3F0E174-1D82-4280-84BA-09287D625BB9}] => (Allow) J:\SteamLibrary\steamapps\common\Starfield\Starfield.exe => No File FirewallRules: [TCP Query User{4D66B01C-7DE6-4DFC-ACF0-69CBC8310302}J:\steamlibrary\steamapps\common\veindemo\vein\binaries\win64\veindemo-win64-test.exe] => (Allow) J:\steamlibrary\steamapps\common\veindemo\vein\binaries\win64\veindemo-win64-test.exe => No File FirewallRules: [UDP Query User{C765782D-0845-4F06-AD14-8016D0EF5CBB}J:\steamlibrary\steamapps\common\veindemo\vein\binaries\win64\veindemo-win64-test.exe] => (Allow) J:\steamlibrary\steamapps\common\veindemo\vein\binaries\win64\veindemo-win64-test.exe => No File FirewallRules: [TCP Query User{2E01EDCC-2076-4D96-A115-FE741011621F}C:\program files\gryphlink\games\endfield game\cefview\cefviewwing.exe] => (Allow) C:\program files\gryphlink\games\endfield game\cefview\cefviewwing.exe => No File FirewallRules: [UDP Query User{765ED8C8-338E-44BC-BFF5-5CD908055056}C:\program files\gryphlink\games\endfield game\cefview\cefviewwing.exe] => (Allow) C:\program files\gryphlink\games\endfield game\cefview\cefviewwing.exe => No File FirewallRules: [TCP Query User{490F6DB3-503F-4B1F-BD25-71A879FF99F2}J:\steamlibrary\steamapps\common\fallout new vegas\nvmp_storyserver.exe] => (Allow) J:\steamlibrary\steamapps\common\fallout new vegas\nvmp_storyserver.exe => No File FirewallRules: [UDP Query User{D193B0D8-D2C5-42FD-A9DF-73D69261B444}J:\steamlibrary\steamapps\common\fallout new vegas\nvmp_storyserver.exe] => (Allow) J:\steamlibrary\steamapps\common\fallout new vegas\nvmp_storyserver.exe => No File HKLM\...\Run: [] => [X] HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-891402112-2820932341-63748822-1001\...\Run: [] => [X] Task: {13E0CC2D-E7B0-49B9-9372-D7A19617EAF3} - \McAfee\WPS\McAfee Anti-Tracker Scanner -> No File <==== ATTENTION Task: {1401AF9F-C5B0-4BCA-B333-BA7C959C2C99} - \McAfee\WPS\McAfee Anti-tracker notification -> No File <==== ATTENTION Task: {2205250E-3422-4139-8766-C666DE4A017A} - \Opera GX scheduled assistant Autoupdate 1760951507 -> No File <==== ATTENTION Task: {45BE13E3-B8B3-40EE-B290-945DCAD1EC14} - \McAfee\WPS\McAfee Virus Definition Update -> No File <==== ATTENTION Task: {50F79473-5F23-4603-8C3B-897A3C011B55} - \McAfee\WPS\McAfee Windows Notification Token -> No File <==== ATTENTION Task: {6D59DDE7-F666-4F5C-A31A-CCEE5AF081D2} - \McAfee\WPS\McAfee Fake Alert Blocker -> No File <==== ATTENTION Task: {7DFA0B17-F5E9-47D6-8047-B049781A61D1} - \McAfee\WPS\McAfee PC Optimizer Task -> No File <==== ATTENTION Task: {891172FC-9F89-46A0-A18A-52B844C9869A} - \McAfee\WPS\McAfee Scheduled AV Scan -> No File <==== ATTENTION Task: {AAA0F9A7-E9E5-4DE8-A556-E10D438AD2D6} - \McAfee\WPS\McAfee Scheduled Tracker Remover -> No File <==== ATTENTION Task: {ADA7E190-55EA-44E4-A370-37D57FCD0CBA} - \McAfee\WPS\McAfee Message Check -> No File <==== ATTENTION Task: {C8B2676E-826C-442F-B502-2631547BD874} - \McAfee\wps\McAfee Updater -> No File <==== ATTENTION Task: {D106DE32-3550-4F86-9B53-30BA05C4C3C5} - \McAfee\WPS\McAfee restart of PC -> No File <==== ATTENTION Task: {E569C0F8-5F09-4E6D-BD6B-A91B0C387CF8} - \McAfee\WPS\McAfee Health Check -> No File <==== ATTENTION Task: {E9489E57-C6FE-4B35-A403-A7A76F70E69A} - \McAfee\WPS\McAfee Cloud Configuration Check -> No File <==== ATTENTION Task: {F3C121A6-AEB4-452F-B9F3-DF60229928BF} - \McAfee\WPS\McAfee Hotfix -> No File <==== ATTENTION Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S3 amduw23g-420422-ef8bcf8f; \SystemRoot\System32\DriverStore\FileRepository\u0420422.inf_amd64_cb23ea54e356fea3\B420106\amdkmdag.sys (No File) S3 cpuz159; \??\C:\WINDOWS\temp\cpuz159\cpuz159_x64.sys (No File) <==== ATTENTION S3 polarbear-split-tunneling; \??\C:\Program Files\McAfee\WPS\1.34.154.1\vpn\Drivers\x64\SplitTunnelingDriver.sys (No File) 2025-11-19 20:11 - 2025-11-19 20:11 - 000000048 ____R () C:\Users\Admin\AppData\Local\AEFABB7FBAAB663C2AB15D4E60ED2598 HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION Endpoint Protection SDK (HKLM\...\{68E1CCB4-4965-4713-BDEB-77F6D6C9BF9D}_is1) (Version: 1.0.2601.7834 - Avira Operations GmbH) Hidden Folder: C:\Program Files\WindowsApps\PythonSoftwareFoundation.PythonManager_25.0.240.0_x64__3847v3x7pw1km CHR StartupUrls: Default -> "hxxps://find-it.pro/?utm_source=distr_m" StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::