![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 22%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 15%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Hi chris m
Thanks for posting in the Microsoft Q&A Forum!
I’m really sorry you’re dealing with all this. Sudden Event Viewer activity paired with a Trojan alert can be stressful, so you’re on track to double‑check everything. I’ll try to break things down as clearly as possible.
1)BranchIO is safe and not related to your security events
The BranchIO registry key you found is not malware and not a Windows system component. It comes from the Branch.io SDK, which is used by many legitimate apps (games, installers, mobile‑linked apps, analytics tools, etc.).
Here is the Microsoft Learn thread confirming that the BranchIO registry key is harmless: https://learn.microsoft.com/en-us/answers/questions/4023467/registry-related?page=2#answers
In that thread, DaveM121 (Microsoft Independent Advisor) states:
“That BranchIO registry key is doing no harm on your PC, you should not touch that registry key.”
So yes, BranchIO is safe and not related to the Event Viewer logs you’re seeing.
Those events occur at a much deeper system level. BranchIO does not have that kind of access or functionality.
2)What do these Event IDs mean?
- 4624 – Successful logon
- 4672 – Special admin privileges used
- 4798 – Group membership enumeration (often used by malware to check privileges)
- 5058 / 5061 – Key/cryptographic operations
- 5379 – Credential Manager access (repeated entries can indicate password harvesting)
Especially when they appear back‑to‑back or in large batches, they can be signs of:
- leftover malware components
- credential‑stealing tools
- malicious scheduled tasks
- unauthorized background services
- a Trojan that wasn’t fully removed
3)What you can do about the other suspicious Registry/System Behavior
Here are safe steps you can take next:
A. Run Microsoft Defender offline scan
Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan
B. Check for persistence methods
Malware often stays alive using:
- Task Scheduler
- Startup items (Run keys)
- Services
You can safely inspect these:
Task Scheduler: taskschd.msc Look for newly created tasks or tasks with random names.
Startup registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services: services.msc Look for services with:
- random names
- no description
- recent installation
If you want, you can list suspicious entries by name and someone can help identify them.
C. Reset your passwords
Because Event ID 5379 suggests something accessed Credential Manager.
D. As a last resort, consider a clean reinstall
If suspicious activity continues even after cleaning, a fresh install guarantees the system is safe.
Hope this can help providing additional information. Feel free to update here if anything comes up!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.