start::
CreateRestorePoint:
CloseProcesses:
Hosts:
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe 
HKU\S-1-5-21-783667411-3380226618-4027535197-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://fr.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D1%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://fr.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://fr.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://fr.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://fr.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783667411-3380226618-4027535197-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-783667411-3380226618-4027535197-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://fr.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wsg_dbgpsszvwu2cegikmoxb_20_15_ssg00鄉1=1鄉2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuyD0EzztD0ByCzzyCyByCtD0DyC0BtA0CtN0D0Tzu0StAtDtBtBtN1L2XzuyEtFyCtCtFtDtFtCzyzztN1L1Czu1BtCtN1L1G1B1V1N2Y1L1Qzu2SyEyEzz0CtByD0C0EtGyBtCyCtDtGtBtB0EzztGyE0BzyzytGyE0C0DtDyBzztByCzzyCtCyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyB1QyB1RyBtB1OzztGzzyByCzztGyEzytC1StGzzyCyBtCtGtDtA1P1S1P1TyEyBzy1OtBzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzutByCtAzzyEtN1Q2Z1B1P1RzutCyDzzyCyDtAtByBtBtA%26cr%3D480508394%26a%3Dwsg_dbgpsszvwu2cegikmoxb_20_15_ssg00%26os_ver%3D10.0%26os%3DWindows%2B10%2BEnterprise&p={searchTerms} 
Edge DefaultSearchURL: Default -> hxxps://manageyoursearch.com/?q={searchTerms}
Edge DefaultSuggestURL: Default -> hxxps://manageyoursearch.com/suggest?q={searchTerms}
Edge Extension: (Search Manager) - C:\Users\adria\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\meckckfjnfnimlomkemnhcoonjfpbcoh [2020-07-06]
Edge HKLM\...\Edge\Extension: [meckckfjnfnimlomkemnhcoonjfpbcoh]
Edge HKU\S-1-5-21-783667411-3380226618-4027535197-1001\SOFTWARE\Microsoft\Edge\Extensions\...\Edge\Extension: [meckckfjnfnimlomkemnhcoonjfpbcoh]
Edge HKLM-x32\...\Edge\Extension: [meckckfjnfnimlomkemnhcoonjfpbcoh] 
CHR Notifications: Default -> hxxps://checkandgo.info; hxxps://gopro.com; hxxps://www.cowcotland.com
CHR HKLM\...\Chrome\Extension: [bnlfgalbnliphjafcnhjnnnfijekbnod]
CHR HKLM\...\Chrome\Extension: [coikafgfajmocjfjomdmagifpeehhohh]
CHR HKU\S-1-5-21-783667411-3380226618-4027535197-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bnlfgalbnliphjafcnhjnnnfijekbnod]
CHR HKU\S-1-5-21-783667411-3380226618-4027535197-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [coikafgfajmocjfjomdmagifpeehhohh]
CHR HKLM-x32\...\Chrome\Extension: [bnlfgalbnliphjafcnhjnnnfijekbnod]
CHR HKLM-x32\...\Chrome\Extension: [coikafgfajmocjfjomdmagifpeehhohh] 
2020-07-28 17:10 - 2020-07-28 17:23 - 000000000 ____D C:\Users\adria\AppData\Roaming\ZHP
2020-07-28 17:10 - 2020-07-28 17:10 - 000000000 ____D C:\Users\adria\AppData\Local\ZHP
2020-07-28 17:09 - 2020-07-28 17:09 - 003454848 _____ (Nicolas Coolman) C:\Users\adria\Downloads\ZHPSuite.exe 
2020-07-28 00:58 - 2020-07-28 01:04 - 000000000 ____D C:\WINDOWS\LastGood 
C:\Windows\Temp\*.*
C:\Users\CurrentUserName\AppData\Local\Temp\*.*
cmd: ipconfig /flushdns
end::