Malware Log Analysis

Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: StartPowerShell: # This snippet uses Sysinternals Sigcheck to upload file on VirusTotal. # Change the line containing the string "INSERTFILEPATHHERE" to the desired filepath # --- # It displays the following: entropy, file hashes, catalog name & signing chain, VirusTotal scan results and link to it. # It is also able to traverse symbolic links and directory junctions. # --- # NOTE: If the file is not known prior, it gets uploaded to VirusTotal and the result will be available in a few minutes. # You can search up the report by visiting the URL "https://www.virustotal.com/gui/file/<SHA256>" $TempDir = [System.IO.Path]::GetTempPath() $ZipPath = Join-Path $TempDir "SigcheckFRST.zip" $ExtractPath = Join-Path $TempDir "SigcheckFRST" Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sigcheck.zip" -OutFile $ZipPath -UseBasicParsing if (Test-Path $ExtractPath) { Remove-Item $ExtractPath -Recurse -Force } Expand-Archive -Path $ZipPath -DestinationPath $ExtractPath -Force $SigcheckExe = Join-Path $ExtractPath "sigcheck.exe" if (Test-Path $SigcheckExe) { $psi = New-Object System.Diagnostics.ProcessStartInfo $psi.FileName = $SigcheckExe $psi.Arguments = '-accepteula -a -h -i -m -l -vt -vs -nobanner "C:\Users\vitek\AppData\Local\Temp\MicrosoftEdgeUpdate\python313.adml"' $psi.RedirectStandardOutput = $true $psi.StandardOutputEncoding = [System.Text.Encoding]::Unicode $psi.UseShellExecute = $false $psi.CreateNoWindow = $true $p = [System.Diagnostics.Process]::Start($psi) $output = $p.StandardOutput.ReadToEnd() $p.WaitForExit() Write-Output $output } else { Write-Host "Error: Sigcheck does not exist" } Remove-Item $ZipPath -Force EndPowerShell: CustomCLSID: HKU\S-1-5-21-931096058-3825193417-906467393-1001_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32 -> C:\Users\vitek\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.14501\x64\Microsoft.Teams.AddinLoader.dll => No File AlternateDataStreams: C:\Users\vitek\Data aplikací:c15540c89c88cd704ccd25de5f07f873 [394] AlternateDataStreams: C:\Users\vitek\AppData\Roaming:c15540c89c88cd704ccd25de5f07f873 [394] FirewallRules: [{AEE27D1D-4E15-47E4-8C76-9A36210C4F56}] => (Allow) C:\AgeoftheRing\rotwk\game.dat => No File FirewallRules: [{2D0D3495-5CBA-4FEC-8A36-439739021544}] => (Allow) C:\AgeoftheRing\rotwk\game.dat => No File FirewallRules: [{09E0E1A7-5CCE-4C0C-8881-22F71A59EBD0}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL20251018183046\ACSetup\ACSetup.exe => No File FirewallRules: [{252E97C7-07C0-4B51-95E8-8835365EBA9E}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL20251018183046\ACSetup\ACSetup.exe => No File FirewallRules: [UDP Query User{9ED96FCA-9497-478A-ADCF-D8C88F606E90}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\lotrbfme2ep1.exe] => (Allow) C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\lotrbfme2ep1.exe => No File FirewallRules: [TCP Query User{06A0A115-9AD1-42A7-83B0-DCA17B723739}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\lotrbfme2ep1.exe] => (Allow) C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\lotrbfme2ep1.exe => No File FirewallRules: [{9017DDE6-2F42-4E75-B00F-CAD0785DE0D8}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\lotrbfme2ep1.exe => No File FirewallRules: [{018847D4-3ACB-4FD9-85BA-4398C3CC0C23}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\lotrbfme2ep1.exe => No File FirewallRules: [UDP Query User{C6FB3387-C67B-4C83-9056-DA7D4628BD7E}C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe] => (Block) C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe => No File FirewallRules: [TCP Query User{EB8B7311-C14B-4F80-A9F0-55740BB0A969}C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe] => (Block) C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe => No File FirewallRules: [UDP Query User{8A2EDAD2-A2F7-4D8D-9155-E4A2A506B4AC}C:\program files\creality slicer 4.8.2\crealityslicer.exe] => (Allow) C:\program files\creality slicer 4.8.2\crealityslicer.exe => No File FirewallRules: [TCP Query User{5332A4C6-FDAB-4928-87B8-B05B1CC1875D}C:\program files\creality slicer 4.8.2\crealityslicer.exe] => (Allow) C:\program files\creality slicer 4.8.2\crealityslicer.exe => No File FirewallRules: [{03A92297-2348-4D0D-BC11-70CC4CA96F9C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{168298C7-E335-4452-BE59-480434D893E4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{1955F582-6535-44D3-9EFA-A1A5F317E9C1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Total War Rome II\launcher\launcher.exe => No File FirewallRules: [{6732748C-0492-4610-A546-969230972EB4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Total War Rome II\launcher\launcher.exe => No File FirewallRules: [TCP Query User{FAD2A417-3B3D-416D-881D-4CF4AA64ECF0}C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe => No File FirewallRules: [UDP Query User{6C861075-3A44-402E-825A-EFE9B5BB4CBA}C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\total war rome ii\rome2.exe => No File FirewallRules: [{00DF1C1A-80F0-4E6A-995E-1A08875B6BF0}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat => No File FirewallRules: [{AADB5AA9-9EC4-47E7-9419-DC8616DA2CCB}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat => No File FirewallRules: [{CF18D813-BAE0-44CE-B075-F1073485BA95}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat => No File FirewallRules: [{BFC0938B-A468-4D4F-823E-82A4C2B1CC9B}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat => No File FirewallRules: [TCP Query User{9DD6B7CC-4FA9-4E26-88ED-688F24FC270F}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat] => (Allow) C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat => No File FirewallRules: [UDP Query User{B8F9F8B9-57FA-4FFD-B59A-1E4A926C0EDD}C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat] => (Allow) C:\program files (x86)\electronic arts\the lord of the rings, the rise of the witch-king\game.dat => No File FirewallRules: [{F43310F2-7A2F-4377-A1E4-D852BECAA434}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat => No File FirewallRules: [{42005C77-2003-4179-9E7C-30DA9113970B}] => (Allow) C:\Program Files (x86)\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat => No File FirewallRules: [{32E42B4A-907C-4D0F-8936-E98695412618}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL20260226121228\ACSetup\ACSetup.exe => No File FirewallRules: [{1677CFE1-C5EA-4094-B2C8-D081291A2821}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL20260226121228\ACSetup\ACSetup.exe => No File FirewallRules: [{7AB2C48A-3130-485D-B48D-B917DA47C6EA}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{21070558-6433-4777-9226-5DE2A1D637D8}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{C4E21341-DE49-43F7-8EC8-857680180AE1}] => (Allow) D:\program files\asus\aacambienthal\aacambientlighting.exe => No File FirewallRules: [{1305ABB3-AA0B-4CE9-8324-CBF459615B8A}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{F1CBF8E5-C207-4FCB-8040-59A13DA5943C}] => (Allow) C:\Users\vitek\AppData\Local\Temp\ACFL\ACSetup\ACSetup.exe => No File FirewallRules: [{A181687B-9777-4F12-9340-4FE97A485439}] => (Allow) C:\PROGRA~2\ELECTR~1\THELOR~1\game.dat => No File FirewallRules: [{F73AFDF1-C3F9-4998-BE9E-33B419D0C040}] => (Allow) C:\PROGRA~2\ELECTR~1\THELOR~1\game.dat => No File FirewallRules: [{BB502E0E-3CB5-4B2F-9104-2DCB963DFADC}] => (Allow) C:\PROGRA~2\ELECTR~1\THELOR~1\lotrbfme2ep1.exe => No File FirewallRules: [{721314B8-C231-44A1-9D58-DA74B330ED3B}] => (Allow) C:\PROGRA~2\ELECTR~1\THELOR~1\lotrbfme2ep1.exe => No File Task: {019E87B7-FBE1-400C-A5A8-75C263AF0039} - System32\Tasks\ASUS\P508PowerAgent_sdk => C:\Program Files (x86)\ASUS\ArmouryDevice\dll\ShareFromArmouryIII\Mouse\ROG STRIX CARRY\P508PowerAgent.exe (No File) Task: {0A1A12FA-B0F4-43FD-88CA-E927B14D9E0D} - System32\Tasks\G5-GmTaskPlan => "%ProgramFiles%\Trust\GXT 160\GXT160GamingMouse.exe" (No File) Task: {86FF72A3-6CC8-49FE-9D93-E3DF8C27F69D} - System32\Tasks\Meta\Messenger-SL-Helper-S-1-5-21-931096058-3825193417-906467393-1001 => C:\Users\vitek\AppData\Local\Programs\Messenger\MessengerHelper.exe --lassie (No File) Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) S2 EMP_UDSA; C:\Program Files (x86)\EPSON Projector\EPSON USB Display V1.1\EMP_UDSA.exe (No File) S2 NovaPdfServer; "C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe" (No File) U3 aswArDisk; no ImagePath HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION Task: {337053D1-21E2-4934-9416-716381A59E6B} - System32\Tasks\Windows scheduled assistant Autoupdate 393-1001 => C:\Users\vitek\AppData\Local\Temp\MicrosoftEdgeUpdate\pythonw.exe [102744 2026-05-13] (Python Software Foundation -> Python Software Foundation) -> C:\Users\vitek\AppData\Local\Temp\MicrosoftEdgeUpdate\python313.adml <==== ATTENTION File: C:\WINDOWS\system32\novamn8.dll Comment: This snippet reverts User Account Control to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000005 "ConsentPromptBehaviorUser"=dword:00000003 "EnableLUA"=dword:00000001 EndRegedit: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::