start::
closeprocesses:
createrestorepoint:
virustotal: C:\Users\renan\gsactwlt\llhvy.exe
virustotal: C:\Users\renan\gsactwlt\jgzkd.oii
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Print\Monitors\Wondershare PDFelement Monitor: C:\Windows\system32\PEPrinterMonitor.dll [285216 2021-01-28] (Wondershare Technology Co.,Ltd -> Wondershare Software)
Task: {0ECE52D1-DBA5-4091-AC11-814EF3A72CCE} - System32\Tasks\gsactwlt => C:\Users\renan\gsactwlt\llhvy.exe -> C:\Users\renan\gsactwlt\jgzkd.oii
Task: {2E0FE424-9E69-4093-9AE1-A2DA02E1984F} - \Microsoft\Windows\UNP\RunCampaignManager -> Pas de fichier <==== ATTENTION
Task: {4EDCF912-2E53-4750-8961-D2413BC52E35} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\winrmsrv => winrmsrv.exe <==== ATTENTION
Task: {60570C1E-8D42-489E-9136-F535A836938B} - System32\Tasks\Microsoft\Windows\Application Experience\StartupCheckLibrary => rundll32.exe StartupCheckLibrary.dll,DllMainRunLibrary <==== ATTENTION
Task: {7A9D26D8-D1E0-4F35-932C-DFFE8FF5CA30} - System32\Tasks\Microsoft\Windows\WDI\SrvHost => rundll32.exe winscomrssrv.dll,SrvMainHost <==== ATTENTION
Task: {A4392A45-2874-4548-9232-3B4707F34BE8} - System32\Tasks\Microsoft\Windows\Wininet\Winlogui => winlogui.exe <==== ATTENTION
FF Plugin: @java.com/DTPlugin,version=11.171.2 -> D:\Java\bin\dtplugin\npDeployJava1.dll [Pas de fichier]
FF Plugin: @java.com/JavaPlugin,version=11.171.2 -> D:\Java\bin\plugin2\npjp2.dll [Pas de fichier]
2021-02-28 22:55 - 2021-02-28 22:55 - 000002598 _____ C:\WINDOWS\system32\Tasks\gsactwlt
2021-02-02 10:25 - 2021-02-02 10:25 - 000000000 ____D C:\Users\renan\AppData\Roaming\Wondershare
2021-02-02 10:25 - 2021-02-02 10:25 - 000000000 ____D C:\Program Files\Common Files\Wondershare
2021-02-20 19:25 - 2017-09-10 10:01 - 000000000 ____D C:\Users\renan\AppData\Local\MSfree Inc
2021-02-02 10:27 - 2018-02-08 15:53 - 000000000 ____D C:\ProgramData\Documents\Wondershare
2021-02-02 10:25 - 2018-02-08 17:01 - 000000000 ____D C:\ProgramData\Wondershare
AlternateDataStreams: C:\ProgramData\Reprise:jhqduwvxlctbqqijsf`usjbm`bfjhiqhnhm [0]
BHO: Pas de nom -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> Pas de fichier
BHO: Pas de nom -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> Pas de fichier
IE trusted site: HKU\S-1-5-21-3424316942-2231806578-3703315171-1001\...\sharepoint.com -> hxxps://etuunistrafr-files.sharepoint.com
FirewallRules: [{594EF8CA-A396-4BC5-A237-EB8710A07217}] => (Allow) C:\WINDOWS\system32\winrmsrv.exe => Pas de fichier
C:\WINDOWS\system32\winlogui.exe
C:\WINDOWS\system32\winrmsrv.exe
cmd: cscript %windir%\System32\slmgr.vbs /dli
emptytemp:
end::