Malware Log Analysis

shared / DanLorenzo
Login
content copied

content

Start:: CloseProcesses: 2023-12-05 20:09 - 2023-12-05 20:09 - 000004398 _____ () C:\Users\enzom\AppData\Local\91503071769 2026-05-25 22:18 - 2026-05-25 22:18 - 000000000 ____D C:\Users\enzom\AppData\Roaming\RenPy CustomCLSID: HKU\S-1-5-21-2875475434-3243608219-2956671516-1001_Classes\CLSID\{227C9E8F-71A1-4B23-9076-682A1A8EAAED}\localserver32 -> "c:\program files\macrium\common\reflectmonitor.exe" -ToastActivated => No File CustomCLSID: HKU\S-1-5-21-2875475434-3243608219-2956671516-1001_Classes\CLSID\{9652f312-d16a-252c-2a90-115fc703b61f}\localserver32 -> "C:\Users\enzom\AppData\Local\Grammarly\DesktopIntegrations\Grammarly.Desktop.exe" -ToastActivated => No File AlternateDataStreams: C:\ProgramData\sldh.dat:136096DD5B [4290] AlternateDataStreams: C:\ProgramData\sldh.dat:F3D162C601 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\HidHide Configuration Client.lnk:B7B9C8BD2D [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk:4E42ED6D31 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk:5465085A2F [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk:1DC1525F34 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk:104946E0EA [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk:7AD7FA8AB1 [4290] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zotero.lnk:3FAA705B12 [4290] AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [8356] FirewallRules: [UDP Query User{FED4DDCC-AA4B-4C2D-A9F7-9AABF4A4EF06}C:\users\enzom\appdata\local\viber\viber.exe] => (Allow) C:\users\enzom\appdata\local\viber\viber.exe => No File FirewallRules: [TCP Query User{67B4E342-D738-4B92-A8C7-D0FDF7F95516}C:\users\enzom\appdata\local\viber\viber.exe] => (Allow) C:\users\enzom\appdata\local\viber\viber.exe => No File FirewallRules: [UDP Query User{8149EBBA-42C8-4E87-B5CA-DAB6C5714E0E}C:\games\cyberpunk 2077\bin\x64\cyberpunk 2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk 2077.exe => No File FirewallRules: [TCP Query User{F1929274-33C2-428E-8A37-93335724D45F}C:\games\cyberpunk 2077\bin\x64\cyberpunk 2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk 2077.exe => No File FirewallRules: [{A5F291CF-9F97-48DF-998A-0DE54E62C986}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [{378F702C-CFB7-48E9-B381-D05A26E208BF}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [{A6E58478-AFD0-4665-8767-127F3E227364}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [{A59DAB01-B94C-425D-A2F4-A0841587EAE3}] => (Allow) C:\Program Files\MiniTool ShadowMaker\AgentService.exe => No File FirewallRules: [UDP Query User{92A19DE0-A1E9-4687-9507-7A369F5E1C79}C:\users\enzom\downloads\sdi_r2408\sdi_x64_r2408.exe] => (Allow) C:\users\enzom\downloads\sdi_r2408\sdi_x64_r2408.exe => No File FirewallRules: [TCP Query User{578AF4D3-8FC5-4103-9D8C-4DF9899A6E35}C:\users\enzom\downloads\sdi_r2408\sdi_x64_r2408.exe] => (Allow) C:\users\enzom\downloads\sdi_r2408\sdi_x64_r2408.exe => No File FirewallRules: [UDP Query User{0B2DAD1C-AD97-4EC5-9493-E31599107FDE}C:\users\enzom\downloads\sdi_r2408\sdi_r2408.exe] => (Allow) C:\users\enzom\downloads\sdi_r2408\sdi_r2408.exe => No File FirewallRules: [TCP Query User{5D83E1A9-060E-45DB-8462-8B6D818163C0}C:\users\enzom\downloads\sdi_r2408\sdi_r2408.exe] => (Allow) C:\users\enzom\downloads\sdi_r2408\sdi_r2408.exe => No File FirewallRules: [UDP Query User{1C350053-53F8-4387-86B9-B5564BD3CB02}C:\users\enzom\appdata\local\programs\vgn hub\vgn hub.exe] => (Allow) C:\users\enzom\appdata\local\programs\vgn hub\vgn hub.exe => No File FirewallRules: [TCP Query User{67C804C9-17F3-4833-A08D-5C3E6F8958D1}C:\users\enzom\appdata\local\programs\vgn hub\vgn hub.exe] => (Allow) C:\users\enzom\appdata\local\programs\vgn hub\vgn hub.exe => No File FirewallRules: [{B43D5392-2375-457D-9C34-92546F00A384}] => (Allow) D:\P5XSEA\client\pc\P5X.exe => No File FirewallRules: [{B6D3BCC1-9C6F-4EEE-A649-669B49CFB6C5}] => (Allow) D:\P5XSEA\client\pc\P5X.exe => No File FirewallRules: [{E728FB25-5076-4346-B7EC-D6BB6EA099C2}] => (Allow) D:\P5XSEA\P5XLaunch\P5XWebBooster.exe => No File FirewallRules: [{91D95B33-A872-49AE-876D-54DB2E833AF6}] => (Allow) D:\P5XSEA\P5XLaunch\P5XWebBooster.exe => No File FirewallRules: [{FD05C414-2471-471F-AF79-A018AE0DBE12}] => (Allow) D:\P5XSEA\P5XLaunch\P5XBrowser.exe => No File FirewallRules: [{C07E62B7-1702-4BA7-93A5-51049C136110}] => (Allow) D:\P5XSEA\P5XLaunch\P5XBrowser.exe => No File FirewallRules: [{8ACF7BAE-349B-4239-8D71-AA0E534A5E28}] => (Allow) D:\P5XSEA\P5XLaunch\P5XUpdate.exe => No File FirewallRules: [{1D1EADAC-65F8-4BDB-8D32-3E0FAD93C6A9}] => (Allow) D:\P5XSEA\P5XLaunch\P5XUpdate.exe => No File FirewallRules: [{C68DFE21-6A62-4072-8551-85F7B59741DA}] => (Allow) D:\P5XSEA\P5XLaunch\P5XGame.exe => No File FirewallRules: [{A231AD2B-5B53-4CA1-BFA2-291E40CFEFD0}] => (Allow) D:\P5XSEA\P5XLaunch\P5XGame.exe => No File FirewallRules: [{8C4BD9EA-8F57-40C5-B018-3558768F7B10}] => (Allow) D:\SteamLibrary\steamapps\common\Devil May Cry 5\DevilMayCry5.exe => No File FirewallRules: [{9331A615-DEEF-45A4-BB2C-C502C2576428}] => (Allow) D:\SteamLibrary\steamapps\common\Devil May Cry 5\DevilMayCry5.exe => No File FirewallRules: [UDP Query User{01284AA1-9C07-462F-BBE6-DF3DA86AC6B5}C:\program files\atk v hub\atk v hub.exe] => (Allow) C:\program files\atk v hub\atk v hub.exe => No File FirewallRules: [TCP Query User{16C39BD2-9A7D-42D8-958A-EB5B7979CC70}C:\program files\atk v hub\atk v hub.exe] => (Allow) C:\program files\atk v hub\atk v hub.exe => No File FirewallRules: [UDP Query User{04C0D52C-8A37-4E75-A63B-5BDF53063474}C:\users\enzom\downloads\vgn-hub_2.4.4\vgn hub.exe] => (Allow) C:\users\enzom\downloads\vgn-hub_2.4.4\vgn hub.exe => No File FirewallRules: [TCP Query User{313035A4-B4D5-49FC-8749-34BE4AF4A5ED}C:\users\enzom\downloads\vgn-hub_2.4.4\vgn hub.exe] => (Allow) C:\users\enzom\downloads\vgn-hub_2.4.4\vgn hub.exe => No File FirewallRules: [UDP Query User{076E5141-7399-40F2-8AC0-6F94842739B1}C:\users\enzom\appdata\local\temp\rar$exa14792.4002\vgn hub.exe] => (Block) C:\users\enzom\appdata\local\temp\rar$exa14792.4002\vgn hub.exe => No File FirewallRules: [TCP Query User{19FE38DB-FA6C-4E59-8393-906293EB3BE0}C:\users\enzom\appdata\local\temp\rar$exa14792.4002\vgn hub.exe] => (Block) C:\users\enzom\appdata\local\temp\rar$exa14792.4002\vgn hub.exe => No File FirewallRules: [UDP Query User{618F5885-688C-4ABF-805A-44C92DC72674}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [TCP Query User{127D65C3-3613-4DFF-9D59-ACA14A78F1EB}C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [UDP Query User{99F03B4F-271C-4E56-BE1D-F045163A8869}D:\steamlibrary\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [TCP Query User{F137C13F-050D-4F04-8921-106DE29DCC2C}D:\steamlibrary\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe] => (Allow) D:\steamlibrary\steamapps\common\marvelrivals\marvelgame\marvel\binaries\win64\marvel-win64-shipping.exe => No File FirewallRules: [{FA59F162-6765-4A9D-9B7A-16BEE2598A9C}] => (Allow) D:\SteamLibrary\steamapps\common\MarvelRivals\MarvelRivals_Launcher.exe => No File FirewallRules: [{22DBE584-6AF2-491B-8DB0-71D31D28E8D2}] => (Allow) D:\SteamLibrary\steamapps\common\MarvelRivals\MarvelRivals_Launcher.exe => No File FirewallRules: [UDP Query User{56B44C77-5B27-456E-8EA4-2585E94E3817}D:\fortnite\engine\binaries\win64\epicwebhelper.exe] => (Block) D:\fortnite\engine\binaries\win64\epicwebhelper.exe => No File FirewallRules: [TCP Query User{4F0C038C-A2D2-4CCF-B18E-1C0779CC2F42}D:\fortnite\engine\binaries\win64\epicwebhelper.exe] => (Block) D:\fortnite\engine\binaries\win64\epicwebhelper.exe => No File FirewallRules: [UDP Query User{B80618A5-0C01-407C-BE77-4A57BF45B267}D:\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [TCP Query User{6D33D272-1B15-43AE-B4A4-CB9705688077}D:\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [UDP Query User{7757A152-D554-4D42-9825-96114FE787E7}C:\wuthering waves game\client\binaries\win64\client-win64-shipping.exe] => (Allow) C:\wuthering waves game\client\binaries\win64\client-win64-shipping.exe => No File FirewallRules: [TCP Query User{52C15621-1C40-451C-A1FB-6958FCCA9909}C:\wuthering waves game\client\binaries\win64\client-win64-shipping.exe] => (Allow) C:\wuthering waves game\client\binaries\win64\client-win64-shipping.exe => No File FirewallRules: [UDP Query User{74716C28-F3E8-4256-A447-33F041170846}D:\wuthering waves\wuthering waves game\client\binaries\win64\client-win64-shipping.exe] => (Allow) D:\wuthering waves\wuthering waves game\client\binaries\win64\client-win64-shipping.exe => No File FirewallRules: [TCP Query User{6E1219C7-7FFF-452A-8647-7B16F715DF3F}D:\wuthering waves\wuthering waves game\client\binaries\win64\client-win64-shipping.exe] => (Allow) D:\wuthering waves\wuthering waves game\client\binaries\win64\client-win64-shipping.exe => No File FirewallRules: [UDP Query User{4C7EFF75-E7E6-4A42-855B-140076387AF6}D:\games\assassin's creed 3 - remastered\acliberation.exe] => (Block) D:\games\assassin's creed 3 - remastered\acliberation.exe => No File FirewallRules: [TCP Query User{3F239DB1-1B14-4E14-94AE-F24A4C3C3E9E}D:\games\assassin's creed 3 - remastered\acliberation.exe] => (Block) D:\games\assassin's creed 3 - remastered\acliberation.exe => No File FirewallRules: [UDP Query User{C3C60CAC-CD07-4E3F-AC0F-6119B6848B5D}C:\games\elden ring\advguide\elden ring adventure guide.exe] => (Allow) C:\games\elden ring\advguide\elden ring adventure guide.exe => No File FirewallRules: [TCP Query User{319400EB-4B51-44A2-A341-1ECABA7F084E}C:\games\elden ring\advguide\elden ring adventure guide.exe] => (Allow) C:\games\elden ring\advguide\elden ring adventure guide.exe => No File FirewallRules: [UDP Query User{D56265CE-117A-4E51-B325-23B16D86B194}D:\games\assassins creed iii\ac3sp.exe] => (Allow) D:\games\assassins creed iii\ac3sp.exe => No File FirewallRules: [TCP Query User{F761CB71-1B8C-49A4-957E-F4657CF0774D}D:\games\assassins creed iii\ac3sp.exe] => (Allow) D:\games\assassins creed iii\ac3sp.exe => No File FirewallRules: [UDP Query User{672BB134-7BAE-492E-B764-240F00F8D424}D:\games\assassin's creed 3 - remastered\aciii.exe] => (Allow) D:\games\assassin's creed 3 - remastered\aciii.exe => No File FirewallRules: [TCP Query User{D54018E0-9F9F-4BD2-B8B0-992FC5B5F0CA}D:\games\assassin's creed 3 - remastered\aciii.exe] => (Allow) D:\games\assassin's creed 3 - remastered\aciii.exe => No File FirewallRules: [UDP Query User{8A5D0F9B-DB9E-443E-877D-CB5546A5F3A3}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File FirewallRules: [TCP Query User{FBCB28FD-AC6B-4499-A823-4095C97657A5}C:\riot games\riot client\riotclientelectron\riot client.exe] => (Allow) C:\riot games\riot client\riotclientelectron\riot client.exe => No File FirewallRules: [{B6C7D129-04FC-4C1B-92CA-EE0402D42886}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe => No File FirewallRules: [{E0536D9C-E5A4-4713-B307-D59BB1441CC3}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe => No File FirewallRules: [UDP Query User{39CCAB36-1B8A-4AA2-B2FD-2C53F902AD2E}C:\program files (x86)\steam\steamapps\common\tekken 8 demo\polaris\binaries\win64\polaris-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tekken 8 demo\polaris\binaries\win64\polaris-win64-shipping.exe => No File FirewallRules: [TCP Query User{4274A7E4-4479-4D04-AB98-7C03DCD2C74A}C:\program files (x86)\steam\steamapps\common\tekken 8 demo\polaris\binaries\win64\polaris-win64-shipping.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tekken 8 demo\polaris\binaries\win64\polaris-win64-shipping.exe => No File FirewallRules: [UDP Query User{637A9923-A09C-4AC1-AD7B-220BB56D5C9B}D:\games\forza horizon 5\forzahorizon5.exe] => (Allow) D:\games\forza horizon 5\forzahorizon5.exe => No File FirewallRules: [TCP Query User{5CA9EA09-7726-4116-8604-314CCFC5D96C}D:\games\forza horizon 5\forzahorizon5.exe] => (Allow) D:\games\forza horizon 5\forzahorizon5.exe => No File FirewallRules: [UDP Query User{C11E7868-9F6C-498B-8C74-8E3F1771F22A}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File FirewallRules: [TCP Query User{46A42D47-A6F7-4209-8E57-3A38C4F73832}C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe] => (Allow) C:\riot games\valorant\live\shootergame\binaries\win64\valorant-win64-shipping.exe => No File FirewallRules: [UDP Query User{CC06108F-B63B-4D34-A869-E516C6782A5B}C:\games\red dead redemption 2\rdr2.exe] => (Allow) C:\games\red dead redemption 2\rdr2.exe => No File FirewallRules: [TCP Query User{EE0612CD-D75D-44BC-9FE7-2DB22B6ABC08}C:\games\red dead redemption 2\rdr2.exe] => (Allow) C:\games\red dead redemption 2\rdr2.exe => No File FirewallRules: [{373B2D33-6C52-4EDD-9727-C68AA74B033C}] => (Allow) D:\Games\Red Dead Redemption 2\RDR2.exe => No File FirewallRules: [{83A69087-6323-42E7-B157-32200A16BBCC}] => (Allow) D:\Games\Red Dead Redemption 2\RDR2.exe => No File FirewallRules: [UDP Query User{ED20F72D-7453-47DB-9988-00AEFFB3CE71}C:\users\enzom\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows\java-runtime-gamma\bin\javaw.exe => No File FirewallRules: [TCP Query User{3DA0BFB1-400D-4044-8963-13004BF85F31}C:\users\enzom\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\roaming\.minecraft\runtime\java-runtime-gamma\windows\java-runtime-gamma\bin\javaw.exe => No File FirewallRules: [UDP Query User{45A1D740-2455-40F0-9D63-A0C8C324F6B7}C:\program files\epic games\fortnite\engine\binaries\win64\epicwebhelper.exe] => (Allow) C:\program files\epic games\fortnite\engine\binaries\win64\epicwebhelper.exe => No File FirewallRules: [TCP Query User{4BE2929F-4A65-4A22-8B51-9E101821ED21}C:\program files\epic games\fortnite\engine\binaries\win64\epicwebhelper.exe] => (Allow) C:\program files\epic games\fortnite\engine\binaries\win64\epicwebhelper.exe => No File FirewallRules: [UDP Query User{3D19A75F-5526-4588-B861-947936B8C19D}C:\users\enzom\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe => No File FirewallRules: [TCP Query User{75FC4E42-9486-45D6-BB93-A1C3AA4E0DA3}C:\users\enzom\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe => No File FirewallRules: [UDP Query User{9284C5E3-6229-4908-A488-DD17251B066A}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [TCP Query User{160F01C6-2E37-4D46-8563-1EF90CDD54D0}C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) C:\program files\epic games\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File FirewallRules: [UDP Query User{2C1CAF17-0C84-42A7-B66E-949752936926}C:\users\enzom\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe => No File FirewallRules: [TCP Query User{B71EA0E2-023B-40EC-B950-74478B7C0FFB}C:\users\enzom\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe] => (Allow) C:\users\enzom\appdata\local\packages\microsoft.4297127d64ec6_8wekyb3d8bbwe\localcache\local\runtime\java-runtime-gamma\windows-x64\java-runtime-gamma\bin\javaw.exe => No File FirewallRules: [UDP Query User{013D4D81-DD0B-4CAE-B9BD-C238663483EC}C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File FirewallRules: [TCP Query User{390213C8-F00D-4A3F-A067-8810E6545F31}C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe] => (Allow) C:\games\cyberpunk 2077\bin\x64\cyberpunk2077.exe => No File FirewallRules: [UDP Query User{B86938E0-97E1-4E10-82EA-FCF6ED7C35E9}D:\marvels spiderman remastered\spider-man.exe] => (Allow) D:\marvels spiderman remastered\spider-man.exe => No File FirewallRules: [TCP Query User{F1C48355-3D22-4EBD-B29C-D39B0C8B5841}D:\marvels spiderman remastered\spider-man.exe] => (Allow) D:\marvels spiderman remastered\spider-man.exe => No File FirewallRules: [UDP Query User{48C24BAC-9FE4-4863-A2FC-2460ECD9170B}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File FirewallRules: [TCP Query User{5A4D14B2-328C-4C9E-BDE0-EE3AF48A5C9B}C:\riot games\riot client\riotclientservices.exe] => (Allow) C:\riot games\riot client\riotclientservices.exe => No File FirewallRules: [{A2CDB7B3-3059-4545-8DD8-1DB92F8EA398}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [{86DE6201-FAAC-4D4A-813F-D14B9E7A7430}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File FirewallRules: [TCP Query User{4B8D03DB-6CB3-4CDD-BD26-63C634D9484E}C:\users\enzom\downloads\persona-5-royal-steamrip.com\p5r\p5r.exe] => (Allow) C:\users\enzom\downloads\persona-5-royal-steamrip.com\p5r\p5r.exe => No File FirewallRules: [UDP Query User{E3B08675-242A-4791-B25B-38A00F82C962}C:\users\enzom\downloads\persona-5-royal-steamrip.com\p5r\p5r.exe] => (Allow) C:\users\enzom\downloads\persona-5-royal-steamrip.com\p5r\p5r.exe => No File HKU\S-1-5-21-2875475434-3243608219-2956671516-1001\...\Run: [RiotClient] => C:\Riot Games\Riot Client\RiotClientServices.exe --launch-background-mode (No File) ShortcutTarget: DS4Windows.lnk -> C:\Users\enzom\Downloads\Compressed\DS4Windows\DS4Windows.exe (No File) Task: {135B757D-CB04-4C9F-8F3A-462B6B7691FE} - System32\Tasks\AMDRyzenMasterSDKTask => "C:\Program Files\AMD\CNext\CNext\cpumetricsserver.exe" (No File) Task: {25FB6987-7D71-4858-952D-D05A852BA347} - System32\Tasks\Microsoft\Windows\Clip\ClipESU => %SystemRoot%\system32\clipesu.exe (No File) Task: {4E93BF22-4817-45EE-9480-BB5C0B9F23C9} - System32\Tasks\Microsoft\Windows\Clip\ClipESUConsumer => %SystemRoot%\system32\ClipESUConsumer.exe -evaluateEligibility (No File) Task: {21127C1E-DD50-4C9C-8521-AF16CBA5082D} - System32\Tasks\Microsoft\Windows\Clip\ClipESUConsumerProcessECUpdate => %SystemRoot%\system32\ClipESUConsumer.exe -persistEligibilityStatus (No File) Task: {0D98F582-717E-4F91-89F7-A652BF82C767} - System32\Tasks\Microsoft\Windows\Clip\ClipEsuConsumerProcessPreOrder => %SystemRoot%\system32\ClipESUConsumer.exe -postProcessPreOrder (No File) Task: {14791A29-D6FB-4313-A3B3-7246BD2FDA87} - System32\Tasks\Microsoft\Windows\Clip\ClipEsuConsumerProcessRefund => %SystemRoot%\system32\ClipESUConsumer.exe -processRefund (No File) Task: {9F39E070-FD22-4DFA-8EC8-D343DE372A04} - System32\Tasks\Microsoft\Windows\Clip\EnableClipESU => %SystemRoot%\system32\clipesu.exe -e (No File) Task: {E88D9B2C-DDEA-47B2-9582-085153004DB5} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe (No File) Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (No File) Task: {CAB76809-EDC0-40D2-A888-AD9BEDF4E88A} - System32\Tasks\Microsoft\Windows\UNP\RunUpdateNotificationMgr => %windir%\System32\UNP\UpdateNotificationMgr.exe (No File) Task: {81E49996-EA7E-4A98-AD32-498045DC2BFD} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (No File) Task: {9ED2E3BE-F946-4D69-8B36-506B521149FA} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (No File) Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File) FF Plugin: @wanmei.com/npArcPlayNowPlugin -> [No File] 2024-05-31 20:22 - 2024-06-28 12:47 - 000006366 _____ () C:\Users\enzom\AppData\Local\91089552503 2024-03-17 00:12 - 2024-03-17 00:12 - 000006366 _____ () C:\Users\enzom\AppData\Local\91477623837 2024-04-05 22:35 - 2024-04-13 00:03 - 000006366 _____ () C:\Users\enzom\AppData\Local\91810373224 2024-05-04 15:28 - 2024-05-16 00:30 - 000006366 _____ () C:\Users\enzom\AppData\Local\93292989270 2023-11-22 17:50 - 2023-11-22 17:50 - 000003998 _____ () C:\Users\enzom\AppData\Local\9630024665 2025-11-25 01:39 - 2025-11-25 01:39 - 000000048 ____R () C:\Users\enzom\AppData\Local\AC3F4554E3AA77A2488472F7BA146D2A 2024-12-09 17:33 - 2024-12-09 17:33 - 000000048 ____R () C:\Users\enzom\AppData\Local\BC0A7E8C3F4C0A792A1C2E9229F3DF3C HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION GroupPolicy: Restriction ? <==== ATTENTION Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION HKU\S-1-5-21-2875475434-3243608219-2956671516-1001\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Task: {3C379660-87B3-41E1-96E4-0088E40F96EF} - System32\Tasks\Brook Divided 43394-516-1001 => C:\Users\enzom\AppData\Local\Advance\8BitDo_Ultimate_Software._Url_152wjlsgtksukab43d2hfrx0qeky3nfz\22f4895c101931b224531583bbebcaf0\pythonw.exe [104280 2026-05-25] (Python Software Foundation -> Python Software Foundation) -> "C:\Users\enzom\AppData\Local\Advance\8BitDo_Ultimate_Software._Url_152wjlsgtksukab43d2hfrx0qeky3nfz\22f4895c101931b224531583bbebcaf0\gamelan.py" <==== ATTENTION File: C:\Program Files (x86)\IObit\Driver Booster\Pub\sumen.exe C:\Users\enzom\AppData\Local\Advance\8BitDo_Ultimate_Software._Url_152wjlsgtksukab43d2hfrx0qeky3nfz\22f4895c101931b224531583bbebcaf0 Comment: This snippet reverts SmartScreen settings to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer] "SmartScreenEnabled"="Warn" [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter] "EnabledV9"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppHost] "EnableWebContentEvaluation"=dword:00000001 EndRegedit: Comment: This snippet reverts User Account Control to default StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000005 "ConsentPromptBehaviorUser"=dword:00000003 "EnableLUA"=dword:00000001 EndRegedit: IFEO\SppExtComObj.exe: [VerifierDlls] SppExtComObjHook.dll IFEO\osppsvc.exe: [VerifierDlls] SppExtComObjHook.dll 2026-05-25 22:22 - 2026-05-25 22:22 - 000003652 _____ C:\WINDOWS\system32\Tasks\Brook Divided 43394-516-1001 StartPowershell: # Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it $hmpExe = "$env:TEMP\HitmanPro_x64.exe" $logFile = "$env:TEMP\HitmanPro_ScanLog.txt" Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing $proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 } Get-Content $logFile -Encoding Unicode EndPowershell: StartPowerShell: # Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console # Does not clean preinstalled objects, only PUP/Adware # If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument # If you would like to only scan with it, change the argument from /clean to /scan # NOTE: For the sake of users from Asia (primarily China), do not use the clean option. It will very likely remove a lot of their important software. New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden $logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt" Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile Get-Content $logFile -Encoding Unicode Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue EndPowerShell: Comment: Verify that Discord does not have any injected code to intercept personal data. If anything is prompted here, it needs to be checked that it isn't malicious code. Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) } Comment: Remove unwanted files from common folders using native removal power of Farbar to include remove on reboot if needed. Please double check the user does not have any applications incorrectly installed in the directories listed below. C:\ProgramData\*.a3x C:\ProgramData\*.ahk C:\ProgramData\*.au3 C:\ProgramData\*.bat C:\ProgramData\*.cab C:\ProgramData\*.cmd C:\ProgramData\*.com C:\ProgramData\*.dll C:\ProgramData\*.exe C:\ProgramData\*.hta C:\ProgramData\*.jar C:\ProgramData\*.js C:\ProgramData\*.jse C:\ProgramData\*.lnk C:\ProgramData\*.pif C:\ProgramData\*.ps1 C:\ProgramData\*.py C:\ProgramData\*.pyc C:\ProgramData\*.pyd C:\ProgramData\*.scr C:\ProgramData\*.tmp C:\ProgramData\*.vbe C:\ProgramData\*.vbs C:\ProgramData\*.wsf C:\ProgramData\*.wsh C:\ProgramData\*.zip C:\ProgramData\*.rar C:\ProgramData\*.7z C:\Users\*\AppData\Roaming\*.au3 C:\Users\*\AppData\Roaming\*.bat C:\Users\*\AppData\Roaming\*.cab C:\Users\*\AppData\Roaming\*.cmd C:\Users\*\AppData\Roaming\*.com C:\Users\*\AppData\Roaming\*.dll C:\Users\*\AppData\Roaming\*.exe C:\Users\*\AppData\Roaming\*.hta C:\Users\*\AppData\Roaming\*.jar C:\Users\*\AppData\Roaming\*.js C:\Users\*\AppData\Roaming\*.jse C:\Users\*\AppData\Roaming\*.lnk C:\Users\*\AppData\Roaming\*.pif C:\Users\*\AppData\Roaming\*.ps1 C:\Users\*\AppData\Roaming\*.py C:\Users\*\AppData\Roaming\*.pyc C:\Users\*\AppData\Roaming\*.pyd C:\Users\*\AppData\Roaming\*.scr C:\Users\*\AppData\Roaming\*.tmp C:\Users\*\AppData\Roaming\*.vbe C:\Users\*\AppData\Roaming\*.vbs C:\Users\*\AppData\Roaming\*.wsf C:\Users\*\AppData\Roaming\*.wsh C:\Users\*\AppData\Roaming\*.zip C:\Users\*\AppData\Roaming\*.rar C:\Users\*\AppData\Roaming\*.7z C:\Users\CurrentUserName\AppData\Local\*.a3x C:\Users\CurrentUserName\AppData\Local\*.ahk C:\Users\CurrentUserName\AppData\Local\*.au3 C:\Users\CurrentUserName\AppData\Local\*.bat C:\Users\CurrentUserName\AppData\Local\*.cab C:\Users\CurrentUserName\AppData\Local\*.cmd C:\Users\CurrentUserName\AppData\Local\*.com C:\Users\CurrentUserName\AppData\Local\*.dll C:\Users\CurrentUserName\AppData\Local\*.exe C:\Users\CurrentUserName\AppData\Local\*.hta C:\Users\CurrentUserName\AppData\Local\*.jar C:\Users\CurrentUserName\AppData\Local\*.js C:\Users\CurrentUserName\AppData\Local\*.jse C:\Users\CurrentUserName\AppData\Local\*.lnk C:\Users\CurrentUserName\AppData\Local\*.pif C:\Users\CurrentUserName\AppData\Local\*.ps1 C:\Users\CurrentUserName\AppData\Local\*.py C:\Users\CurrentUserName\AppData\Local\*.pyc C:\Users\CurrentUserName\AppData\Local\*.pyd C:\Users\CurrentUserName\AppData\Local\*.scr C:\Users\CurrentUserName\AppData\Local\*.tmp C:\Users\CurrentUserName\AppData\Local\*.vbe C:\Users\CurrentUserName\AppData\Local\*.vbs C:\Users\CurrentUserName\AppData\Local\*.wsf C:\Users\CurrentUserName\AppData\Local\*.wsh C:\Users\CurrentUserName\AppData\Local\*.zip C:\Users\CurrentUserName\AppData\Local\*.rar C:\Users\CurrentUserName\AppData\Local\*.7z C:\Users\CurrentUserName\AppData\Roaming\*.a3x C:\Users\CurrentUserName\AppData\Roaming\*.ahk C:\Users\CurrentUserName\AppData\Roaming\*.au3 C:\Users\CurrentUserName\AppData\Roaming\*.bat C:\Users\CurrentUserName\AppData\Roaming\*.cab C:\Users\CurrentUserName\AppData\Roaming\*.cmd C:\Users\CurrentUserName\AppData\Roaming\*.com C:\Users\CurrentUserName\AppData\Roaming\*.dll C:\Users\CurrentUserName\AppData\Roaming\*.exe C:\Users\CurrentUserName\AppData\Roaming\*.hta C:\Users\CurrentUserName\AppData\Roaming\*.jar C:\Users\CurrentUserName\AppData\Roaming\*.js C:\Users\CurrentUserName\AppData\Roaming\*.jse C:\Users\CurrentUserName\AppData\Roaming\*.lnk C:\Users\CurrentUserName\AppData\Roaming\*.pif C:\Users\CurrentUserName\AppData\Roaming\*.ps1 C:\Users\CurrentUserName\AppData\Roaming\*.py C:\Users\CurrentUserName\AppData\Roaming\*.pyc C:\Users\CurrentUserName\AppData\Roaming\*.pyd C:\Users\CurrentUserName\AppData\Roaming\*.scr C:\Users\CurrentUserName\AppData\Roaming\*.tmp C:\Users\CurrentUserName\AppData\Roaming\*.vbe C:\Users\CurrentUserName\AppData\Roaming\*.vbs C:\Users\CurrentUserName\AppData\Roaming\*.wsf C:\Users\CurrentUserName\AppData\Roaming\*.wsh C:\Users\CurrentUserName\AppData\Roaming\*.zip C:\Users\CurrentUserName\AppData\Roaming\*.rar C:\Users\CurrentUserName\AppData\Roaming\*.7z Comment: Force policy removal C:\Windows\System32\GroupPolicyUsers C:\Windows\System32\GroupPolicy Comment: System repair commands CMD: DISM.exe /Online /Cleanup-image /Restorehealth CMD: SFC.exe /scannow Comment: Network reset commands CMD: netsh int ip reset CMD: netsh int ipv6 reset CMD: ipconfig /flushDNS CMD: netsh winsock reset catalog Comment: Additional temp file removal C:\Windows\System32\config\systemprofile\AppData\Local\*.tmp C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp C:\Users\CurrentUserName\AppData\Local\Temp\* C:\Windows\Temp\* C:\Windows\SystemTemp\* EmptyTemp: End::