Malware Log Analysis

Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: 2026-06-11 21:18 - 2026-06-11 21:18 - 000000000 ____D C:\Users\oscor\AppData\Roaming\ip_royal_paws Task: {44AADB54-AB88-4D8E-89D2-A1072715B0C6} - System32\Tasks\AMDInstallUEP => C:\Program Files\AMD\InstallUEP\AMDInstallUEP.exe (No File) Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) Task: {B52BF612-627C-4FC7-92B9-917CD66D9066} - System32\Tasks\MSI LEDBar Controller => C:\Program Files\WMIHook\WMIHookBtnFn\LEDBarController.exe (No File) FF Plugin HKU\S-1-5-21-1188054775-1645960902-671795726-1001: @wpspdf.com/nppdf -> C:\Users\oscor\AppData\Local\Kingsoft\WPS Office\12.1.0.26880\office6\addons\knppdfplugin\knppdfplugin.dll [No File] S2 HPAppPrintScanDoctorService; "C:\Program Files\HPAppPrintScanDoctor\HPAppPrintScanDoctorService.exe" (No File) S3 ACE-CORE201308; \??\C:\Program Files\AntiCheatExpert\ACE-CORE201308.sys (No File) S3 ace-game-0; \SystemRoot\System32\drivers\ace-game-0.sys (No File) U3 aswBcc; no ImagePath U3 Avast Business Console Client Antivirus Service; no ImagePath U2 DriverUpdSvc.exe; no ImagePath U3 FamilySvc; no ImagePath U1 IsRunSuccess; no ImagePath U2 TuneupSvc.exe; no ImagePath 2026-06-11 22:34 - 2025-07-18 22:11 - 000000000 ____D C:\ProgramData\temp CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 -> C:\Users\oscor\AppData\Local\Kingsoft\WPS Office\12.2.0.23196\office6\kwpsmenushellext64.dll => No File CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{74B989DB-3E7F-425C-AF5A-F6BFBF5B747A}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 -> => No File CustomCLSID: HKU\S-1-5-21-1188054775-1645960902-671795726-1001_Classes\CLSID\{cd5e3452-846a-44e4-8307-49f82ba6c944}\localserver32 -> "C:\Users\oscor\Downloads\FanControl_197_net_4_8\FanControl.exe" -ToastActivated => No File AlternateDataStreams: C:\WINDOWS\tracing:? [16] AlternateDataStreams: C:\Users\oscor\Downloads\avast_one_free_antivirus.exe:MBAM.Zone.Identifier [704] AlternateDataStreams: C:\Users\oscor\Downloads\FRST64.exe:MBAM.Zone.Identifier [450] AlternateDataStreams: C:\Users\oscor\Downloads\FRST64English.exe:MBAM.Zone.Identifier [450] AlternateDataStreams: C:\Users\oscor\Downloads\HP Installer.exe:MBAM.Zone.Identifier [470] FirewallRules: [{CE7037B9-81E4-4097-8593-915CD6570CAE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Enlisted\bpreport.exe => No File FirewallRules: [{CF533E19-BAFD-4610-82CA-A77357BFC43D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Enlisted\bpreport.exe => No File FirewallRules: [{5EC0A340-6C4A-4D48-9A46-9E9503315571}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File FirewallRules: [{7B46DA98-D7AA-41BD-A2D9-A42DCE84A5D7}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File FirewallRules: [{5C9F4A76-D01B-4DA0-BEAA-46B40008C41F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Enlisted\BattlEye\BEService_x64.exe => No File FirewallRules: [{B98595E4-E1F7-4371-90A9-44EE2D8CEAC3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Enlisted\BattlEye\BEService_x64.exe => No File FirewallRules: [{C5E5DA4E-4809-4849-93D5-E71C40AA4773}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File FirewallRules: [{7D097C51-B8A3-40BF-BF1F-C25E331EB4CA}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File FirewallRules: [{994BA811-EEB6-4FF1-9694-C4571EE0FA4E}] => (Allow) C:\Windows\SysWOW64\wire\wire.exe => No File FirewallRules: [{57A5853C-E073-4CF5-9CB8-BB65903F0EDA}] => (Allow) C:\Windows\SysWOW64\wire\wire.exe => No File FirewallRules: [{18948F5D-6249-481A-9B7C-3DDACF84C742}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Mafia The Old Country\MafiaTheOldCountry\Binaries\Win64\MafiaTheOldCountry.exe => No File FirewallRules: [{71F2E13B-63C7-4ABD-9D61-03B2C84FAB01}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Mafia The Old Country\MafiaTheOldCountry\Binaries\Win64\MafiaTheOldCountry.exe => No File HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION 2026-06-11 21:17 - 2026-06-11 21:17 - 000000000 ____D C:\Users\oscor\AppData\Local\pip Avast Update Helper (HKLM-x32\...\{19C3AB22-3718-4E4D-B203-242F5001565B}) (Version: 1.8.1995.6 - AVAST Software) Hidden AVG Update Helper (HKLM-x32\...\{EDB7AEE7-E932-4836-AE50-D3B0B7766CB5}) (Version: 1.8.1992.6 - AVG Technologies) Hidden StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code. Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::