Malware Log Analysis

Start CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-3450520940-2535151017-1455022532-1001\...\Policies\Explorer: [] HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION Task: {0ebdab23-d4af-42e2-a93c-6cca7bdf181c} - no filepath. <==== ATTENTION Task: {A9EA4C5D-CA89-4DC0-A314-6837CFB2446D} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem137.0.7129.6{2458B74C-719B-4088-835E-BAE85C2F775C} => "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.6\updater.exe" --wake --system (No File) Task: {F5D47D8A-78DC-499E-B4B7-80591CE3A49D} - System32\Tasks\Lenovo\Vantage\Schedule\NotificationCenter => C:\Program Files (x86)\Lenovo\VantageService\3.13.72.0\ScheduleEventAction.exe NotificationCenter (No File) Task: {B4FB994A-295B-4210-AAF7-D33740F456DB} - System32\Tasks\Lenovo\Vantage\StartupFixPlan => C:\Program Files (x86)\Lenovo\VantageService\4.2.24.0\\uninstall.exe /repair (No File) Task: {9DD169AA-8F25-4627-8BE8-F5EDDB60FD22} - System32\Tasks\McAfee\DAD.Execute.Updates => C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADupdater.exe (No File) Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File) Task: {096569B6-985E-4D43-9C8F-8F2AF0819DB6} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults => %systemroot%\system32\MusNotification.exe LogonUpdateResults (No File) Task: {668472B1-C8E4-49EC-AF88-245D56300E59} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC ReadyToReboot (No File) Task: {86A2F359-62CA-4F54-8230-54F630137F0F} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery ReadyToReboot (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) 2026-06-05 16:21 - 2026-06-05 16:21 - 000000000 ____D C:\Users\ezra1\AppData\Local\Yandex Folder: C:\Users\ezra1\AppData\Roaming\processhost_v5_stable Folder: C:\ProgramData\processhost_v5_stable 2026-06-05 16:20 - 2026-06-05 16:20 - 000000000 ____D C:\Users\ezra1\AppData\Roaming\processhost_v5_stable 2026-06-05 16:20 - 2026-06-05 16:20 - 000000000 ____D C:\ProgramData\processhost_v5_stable 2026-06-05 16:18 - 2021-06-12 10:20 - 000000000 ____D C:\Users\ezra1\AppData\Roaming\RenPy 2026-04-22 21:26 - 2026-04-22 21:26 - 000000000 ____D C:\ProgramData\temp 2024-12-06 19:46 - 2024-12-06 19:46 - 000000048 ____R () C:\Users\ezra1\AppData\Local\F21F773A8C377E070CCEAAEA8B0A995D C:\Users\ezra1\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jcpgbnbdnakoblgfkbgggankeidkfcdl Edge HKLM-x32\...\Edge\Extension: [jcpgbnbdnakoblgfkbgggankeidkfcdl] C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Default\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fheoggkfdfchfphceeifdbepaooicaho C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\fheoggkfdfchfphceeifdbepaooicaho C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\fheoggkfdfchfphceeifdbepaooicaho C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\majdfhpaihoncoakbjgbdhglocklcgno C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fheoggkfdfchfphceeifdbepaooicaho C:\Users\ezra1\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\fheoggkfdfchfphceeifdbepaooicaho CHR HKLM-x32\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok] R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [856472 2023-05-21] (McAfee, LLC -> McAfee, LLC) C:\Program Files\McAfee Folder: C:\Users\ezra1\OneDrive\Documents\data Folder: C:\Users\ezra1\AppData\LocalLow\MyAss Folder: C:\Users\ezra1\OneDrive\Documents\renpy Folder: C:\Users\ezra1\OneDrive\Documents\lib Folder: C:\Users\ezra1\OneDrive\Documents\tfmng Folder: C:\Users\ezra1\AppData\Roaming\TeamSamoyed Folder: C:\Users\ezra1\OneDrive\Documents\game Folder: C:\Users\ezra1\OneDrive\Documents\common Folder: C:\ProgramData\boost_interprocess File: C:\Program Files (x86)\Microsoft Visual Studio\Installer\VSInstallerElevationService.exe;C:\Users\ezra1\OneDrive\Desktop\TeamfightManager2.exe.lnk;C:\Users\ezra1\OneDrive\Desktop\Setup.exe.lnk;C:\Users\ezra1\OneDrive\Documents\Uninstall Katawa Shoujo.exe;C:\Users\ezra1\OneDrive\Documents\Katawa Shoujo.exe Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" } C:\WINDOWS\Temp\* C:\WINDOWS\SystemTemp\* C:\Users\ezra1\AppData\Local\Temp\* StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: cmd: del %temp%\*.* /f /s /q cmd: rd /s /q %temp% cmd: bitsadmin /reset /allusers cmd: netsh winsock reset catalog cmd: ipconfig /flushdns RemoveProxy: EmptyTemp: End