HitmanPro.ALERT Support and Discussion Thread

Dragon1952 · Jul 3, 2020

Thanks @Krusty for helping me out with the post about removing the programdata before going back to 3.7...

Krusty · Jul 3, 2020

No worries. Hopefully you won't have any problems from here on.

BoerenkoolMetWorst · Jul 4, 2020

1 machine was succesfully autoupdated from build 871 to 875 (Win10x64)

RonnyT · Jul 4, 2020

Dragon1952 said: ↑
To late i just did it and went back to 3.7... I got this with 3.7 and also with 3.8....
Code:
Log Name:      Application
Source:        HitmanPro.Alert
Date:          7/3/2020 11:58:39 AM
Event ID:      911
Task Category: Mitigation
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      User-PC
Description:
Mitigation   CredGuard
Timestamp    2020-07-03T15:58:39
Platform     6.1.7601/x64 v875 06_3a
PID          2320
Feature      0000000000000001
Application  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 20.0\avp.exe
Created      2019-09-07T03:10:39
Description  Kaspersky Anti-Virus 20.0.14
\REGISTRY\MACHINE\SAM\SAM\Domains\Account

Thumbprints
368a1bad9d915f938d0b558b13bad211bf6c227c2d202e95f10b55dc77c94562
</Data>
  </EventData>
</Event>
Click to expand...
Hi Dragon,

If that is the reason to go back to 3.7 I would suggest going to 3.8 again, in that version you can now allow this locally.
Not that it's needed for this alert as it's only logging an access denied for avp.exe to try to read the SAM registry key, there is nothing wrong, loads of applications do this because of how API queries the complete registry.
You can safely ignore this, but if you don't want this to show up do the following.

Open HitmanPro.Alert and click on "Last event" find the offending alert -> Action -> Suppress Alert.
This is effectively whitelisting the alert.

Krusty · Jul 4, 2020

Code:

Mitigation   CryptoGuard
Timestamp    2020-07-04T22:45:48

Platform     10.0.19041/x64 v875 06_5e
PID          4628
Application  C:\Windows\System32\Dism.exe
Created      2020-06-10T04:13:20
Description  Dism Image Servicing Utility 10

Filename     C:\Windows\System32\Dism.exe

Detection    Generic.Ransom.C

 1*C:\Users\David\AppData\Local\Temp\94626554-180c-4d5e-94e5-a1cba66c6aeb
   Overwritten L0, Read T14848 H14530|^273, Write T14848 H14530|^273 #1,2

 2*C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-IoTEnterprise-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L12545, Read T12800|100% H12545 #2,1

 3 C:\Users\David\AppData\Local\Temp\c9690f8b-dcab-4077-a645-32e532e084d4
   Overwritten L0, Read T6144 H5766|^290, Write T6144 H5766|^290 #3

 4 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Enterprise-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L9138, Read T9216|100% H9138|^16228 #4

 5*C:\Users\David\AppData\Local\Temp\189f7630-b65a-4b53-975a-1cc029991607
   Overwritten L0, Read T8192 H7978|^274, Write T8192 H7978|^274 #5,8

 6 C:\Users\David\AppData\Local\Temp\61641c8c-f841-4c90-867f-1abb92fb2d54
   Overwritten L0, Read T14848 H10552|^335, Write T14848 H10552|^335 #6

 7 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Enterprise-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L37355, Read T37376|100% H32768 #7

 8*C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Enterprise-Default-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L9554, Read T9728|100% H9554|^17251 #8,5

 9*C:\Users\David\AppData\Local\Temp\20603325-fdfb-4390-8bc9-1333b2ed7baf
   Overwritten L0, Read T8704 H4124|^266, Write T8704 H4124|^266 #9,15

10 C:\Users\David\AppData\Local\Temp\94626554-180c-4d5e-94e5-a1cba66c6aeb
   Overwritten L0, Read T5632 H5426|^265, Write T5632 H5426|^265 #10

11 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Education-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L38105, Read T38400|100% H32768|^124509 #11

12 C:\Users\David\AppData\Local\Temp\4ef6fbfd-2485-4671-9f5e-1fdb893ca44e
   Overwritten L0, Read T5632 H5556|^303, Write T5632 H5556|^303 #12

13 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-CoreSingleLanguage-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L17233, Read T17408|100% H17233|^42350 #13

14*C:\Users\David\AppData\Local\Temp\816a29f2-8ba0-4268-add2-a29322210c1e
   Overwritten L0, Read T16384 H12288|^240, Write T16384 H12288|^240 #14,33

15*C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L8915, Read T9216|100% H8915|^15727 #15,9

16*C:\Users\David\AppData\Local\Temp\61641c8c-f841-4c90-867f-1abb92fb2d54
   Overwritten L0, Read T16896 H8392|^281, Write T16896 H8392|^281 #16,17

17*C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Core-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
   Opened L17957, Read T18432|100% H17957|^45649 #17,16

33*C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
   Opened L15852, Read T15872|100% H15852|^37143 #33,14



Loaded Modules (45)
-----------------------------------------------------------------------------
00007FF6CDBB0000-00007FF6CDBF8000 dism.exe (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1D8F0000-00007FFD1DAE4000 ntdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.207
00007FFD1BF00000-00007FFD1BFBD000 KERNEL32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.292
00007FFD1ADE0000-00007FFD1AEF1000 hmpalert.dll (SurfRight B.V.),
                                  Version: 3.8.6.875
00007FFD1B090000-00007FFD1B357000 KERNELBASE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD18880000-00007FFD18910000 apphelp.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1D490000-00007FFD1D52E000 msvcrt.dll (Microsoft Corporation),
                                  Version: 7.0.19041.1
00007FFD1D700000-00007FFD1D7AA000 ADVAPI32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1C800000-00007FFD1C89B000 sechost.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1CEE0000-00007FFD1D003000 RPCRT4.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1CC40000-00007FFD1CD69000 OLE32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.84
00007FFD1B860000-00007FFD1B960000 ucrtbase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1D010000-00007FFD1D363000 combase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1CC10000-00007FFD1CC3A000 GDI32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1B830000-00007FFD1B852000 win32u.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1B720000-00007FFD1B82A000 gdi32full.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1B4A0000-00007FFD1B53D000 msvcp_win.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1CA70000-00007FFD1CC10000 USER32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.264
00007FFD1B960000-00007FFD1BA2D000 OLEAUT32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD0F4C0000-00007FFD0F4CA000 VERSION.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1CE00000-00007FFD1CE30000 IMM32.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD18ED0000-00007FFD18EE3000 kernel.appcore.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1B6A0000-00007FFD1B71F000 bcryptPrimitives.dll (Microsoft Corporation),
                                  Version: 10.0.19041.264
00007FFCEB440000-00007FFCEB4A6000 DismCore.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD08050000-00007FFD08081000 DismCorePS.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1CE30000-00007FFD1CED8000 clbcatq.dll (Microsoft Corporation),
                                  Version: 2001.12.10941.16384
00007FFD0BF20000-00007FFD0C104000 dbghelp.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD0BEF0000-00007FFD0BF1C000 dbgcore.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCE1F70000-00007FFCE1FB1000 dismprov.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD06950000-00007FFD06965000 LogProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCDD4F0000-00007FFCDD533000 WDSCORE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCDE3C0000-00007FFCDE3D2000 FolderProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCDD2A0000-00007FFCDD33F000 FfuProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1B470000-00007FFD1B497000 bcrypt.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCDCD70000-00007FFCDCE06000 WimProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD16830000-00007FFD16866000 XmlLite.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1AF80000-00007FFD1AF9F000 profapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFCDD5E0000-00007FFCDD69D000 WIMGAPI.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.84
00007FFCD59C0000-00007FFCD5A4E000 VHDProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFCD5980000-00007FFCD59B8000 ImagingProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1AF30000-00007FFD1AF61000 sspicli.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1A620000-00007FFD1A6AA000 msv1_0.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.329
00007FFD1A600000-00007FFD1A613000 NtlmShared.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD1A720000-00007FFD1A735000 cryptdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1
00007FFD19D50000-00007FFD19D83000 ntmarta.dll (Microsoft Corporation),
                                  Version: 10.0.19041.1

Process Trace
1  C:\Windows\System32\Dism.exe [4628] 2020-07-04T22:45:25
   "C:\WINDOWS\system32\dism.exe" /English /unmount-wim /mountdir:"c:\boot\macrium\WinREFiles\mount" /commit
2  C:\Program Files\Macrium\Reflect\RMBuilder.exe [9416] 2020-07-04T22:42:07
   "C:\Program Files\Macrium\Reflect\rmbuilder.exe" *00000000000404DC
3  C:\Program Files\Macrium\Reflect\reflectbin.exe [9868] 2020-07-04T22:41:54
4  C:\Windows\explorer.exe [7828] 2020-07-04T22:41:16
5  C:\Windows\System32\userinit.exe [7524] 2020-07-04T22:41:15 24.3s
6  C:\Windows\System32\winlogon.exe [872] 2020-07-04T22:40:20
   winlogon.exe
7  C:\Windows\System32\smss.exe [752] 2020-07-04T22:40:20 108ms
   \SystemRoot\System32\smss.exe 0000011c 00000084
8  C:\Windows\System32\smss.exe [396] 2020-07-04T22:39:48
   \SystemRoot\System32\smss.exe

Dropped Files
1  C:\Users\David\AppData\Local\Temp\835be2de-b3a7-4983-bb28-f5f4adbb9484
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
2  C:\Users\David\AppData\Local\Temp\20603325-fdfb-4390-8bc9-1333b2ed7baf
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
3  C:\Users\David\AppData\Local\Temp\94626554-180c-4d5e-94e5-a1cba66c6aeb
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
4  C:\Users\David\AppData\Local\Temp\4ef6fbfd-2485-4671-9f5e-1fdb893ca44e
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
5  C:\Users\David\AppData\Local\Temp\61641c8c-f841-4c90-867f-1abb92fb2d54
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
6  C:\Users\David\AppData\Local\Temp\189f7630-b65a-4b53-975a-1cc029991607
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
7  C:\Users\David\AppData\Local\Temp\c9690f8b-dcab-4077-a645-32e532e084d4
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
8  C:\Users\David\AppData\Local\Temp\816a29f2-8ba0-4268-add2-a29322210c1e
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
9  C:\Users\David\AppData\Local\Temp\a7a557a8-8522-4555-b707-ae1bd35d36bf
     Dropped by \Device\HarddiskVolume4\Windows\System32\Dism.exe [4628]
1  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_6_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
2  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_6_for_KB4560366~31bf3856ad364e35~amd64~~19041.329.1.2.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
3  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_7_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
4  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_7_for_KB4560366~31bf3856ad364e35~amd64~~19041.329.1.2.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
5  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_8_for_KB4560366~31bf3856ad364e35~amd64~~19041.329.1.2.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
6  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_9_for_KB4560366~31bf3856ad364e35~amd64~~19041.329.1.2.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
7  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_DotNetRollup~31bf3856ad364e35~amd64~~10.0.1.3176.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
8  C:\boot\macrium\WinREFiles\mount\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB4560366~31bf3856ad364e35~amd64~~19041.329.1.2.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
9  C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB4561600~31bf3856ad364e35~amd64~~10.0.1.0.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
10 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.329.1.7.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
11 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnge001.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
12 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms002.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
13 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms003.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
14 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms004.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
15 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms005.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
16 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms007.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
17 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms008.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
18 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms010.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
19 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms011.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
20 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms012.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
21 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms014.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
22 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
23 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
24 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
25 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
26 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
27 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
28 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
29 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
30 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
31 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
32 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\SYMEVENT64x86.CAT
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
33 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\SymEvnt.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
34 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
35 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
36 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
37 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
38 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
39 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
40 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
41 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
42 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-ApplicationGuard-Inbox-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
43 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
44 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
45 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
46 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.329.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
47 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
48 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
49 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
50 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.329.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
51 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
52 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
53 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
54 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
55 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
56 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
57 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
58 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
59 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
60 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
61 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
62 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
63 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
64 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
65 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
66 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WindowsSearchEngineSKU-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
67 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WindowsSearchEngineSKU-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
68 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WindowsSearchEngineSKU-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
69 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{57ADB770-4D9B-4EDC-95F4-731D25B21D10}.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
70 C:\boot\macrium\WinREFiles\mount\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{AD1B200E-C919-4A60-AD8D-E292BD00778A}.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
71 C:\boot\macrium\WinREFiles\media\bootmgfw.efi
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
72 C:\boot\macrium\WinREFiles\media\boot\bcdedit.exe
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
73 C:\boot\macrium\WinREFiles\media\Drivers\Macrium.oem
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
74 C:\boot\macrium\WinREFiles\media\Drivers\USB\VEN_8086_DEV_A12F\usbxhci.inf
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
75 C:\boot\macrium\WinREFiles\media\Drivers\USB\VEN_8086_DEV_A12F\USBXHCI.SYS
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
76 C:\boot\macrium\WinREFiles\media\Drivers\USB\VEN_8086_DEV_A12F\UsbXhciCompanion.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
77 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Driver.msi
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
78 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\IntelWifiIhv04.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
79 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\netvwifibus.inf
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
80 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Netwfw04.dat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
81 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
82 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.INF
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
83 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\netwtw04.PNF
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
84 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.sys
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
85 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Netwuw05.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
86 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\Setup.exe
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
87 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\setup.xml
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
88 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\WiFi.msi
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
89 C:\boot\macrium\WinREFiles\media\Drivers\Wifi\VEN_8086_DEV_24FB\WUSetupLauncher.exe
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
        Read by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
90 C:\boot\macrium\WinREFiles\mount\Drivers\Macrium.oem
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
91 C:\boot\macrium\WinREFiles\mount\Drivers\USB\VEN_8086_DEV_A12F\usbxhci.inf
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
92 C:\boot\macrium\WinREFiles\mount\Drivers\USB\VEN_8086_DEV_A12F\USBXHCI.SYS
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
93 C:\boot\macrium\WinREFiles\mount\Drivers\USB\VEN_8086_DEV_A12F\UsbXhciCompanion.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
94 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Driver.msi
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
95 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\IntelWifiIhv04.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
96 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\netvwifibus.inf
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
97 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Netwfw04.dat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
98 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.cat
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
99 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.INF
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
100 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\netwtw04.PNF
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
101 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Netwtw04.sys
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
102 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Netwuw05.dll
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
103 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\Setup.exe
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
104 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\setup.xml
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
105 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\WiFi.msi
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
106 C:\boot\macrium\WinREFiles\mount\Drivers\Wifi\VEN_8086_DEV_24FB\WUSetupLauncher.exe
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
107 C:\boot\macrium\WinREFiles\mount\Drivers\SearchPaths.txt
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
108 C:\ProgramData\Macrium\RMBuilder\BuildDevices.log
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
109 C:\boot\macrium\WinREFiles\mount\boot\reflect.cfg
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
110 C:\boot\macrium\WinREFiles\DriversHash.bin
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
111 C:\boot\macrium\WinREFiles\media\Version
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
112 C:\boot\macrium\WinREFiles\media\PEVersion
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
113 C:\boot\macrium\WinREFiles\media\x64
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\RMBuilder.exe [9416]
1  C:\PROGRAMDATA\MACRIUM\REFLECT\XMLFILES.DAT
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\reflectbin.exe [9868]
2  C:\Users\David\AppData\Local\Temp\~DFDD889FF46384BA66.TMP
     Dropped by \Device\HarddiskVolume4\Program Files\Macrium\Reflect\reflectbin.exe [9868]
1  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A4A.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
2  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A5B.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
3  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A5C.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
4  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A6C.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
5  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A7D.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
6  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A7E.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
7  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A8F.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
8  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7A9F.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
9  C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AB0.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
10 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AC0.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
11 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AC1.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
12 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AD2.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
13 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AD3.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
14 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AD4.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
15 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7AE5.tmp
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
16 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
17 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
18 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
19 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
20 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
21 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
22 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
23 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
24 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
25 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
26 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
27 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
28 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
29 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
30 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
31 C:\Users\David\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
32 C:\Users\David\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000082.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]
33 C:\Users\David\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000083.db
     Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [7828]

Thumbprints
1234cb96f13b12fb8569b71710a0903b73466391fe298e0fd06bba3c0e6bcba8

Not at all helpfull when trying to create Macrium Reflect rescue media!

feerf56 · Jul 5, 2020

HitmanPro.Alert 3.8.6 Build 875 RC

I did not detect any of these, Kaspersky Virus Removal Tool.exe was running properly, HitmanPro.Alert did not inhibit Kaspersky from running, no signaling, I only saw an indication of the Microsoft Defender SmartScreen program. I do not understand.

Ezek egyikét sem észleltem, a Kaspersky Virus Removal Tool.exe megfelelően futott, a HitmanPro.Alert nem állította le, csak a Microsoft Defender SmartScreen programja jelezte. Nem ertem.
Ezek egyikét sem észleltem, a Kaspersky Virus Removal Tool.exe megfelelően futott, a HitmanPro.Alert nem gátolta meg a Kaspersky futtatását, nincs jelzés, csak a Microsoft Defender SmartScreen program jelzését láttam. Nem ertem.

hayc59 · Jul 5, 2020

Is this worth the cash?? thanks

Victek · Jul 5, 2020

hayc59 said: ↑

Is this worth the cash?? thanks
Click to expand...

I like the feature set. I also like the fact that it is being constantly improved and has responsive support reps. What are your criteria for worthwhile security software?

Tinstaafl · Jul 5, 2020

Hey all, just switched my antivirus to Bitdefender Antivirus Plus 2020. Are there any recommended setting adjustments that I need to make to HMPA to ensure compatibility?

Right now I have Advanced Threat Defense and Safe Files protected folders enabled in BD, but not Ransomware Remediation.

paulderdash · Jul 6, 2020

Victek said: ↑

I like the feature set. I also like the fact that it is being constantly improved and has responsive support reps. What are your criteria for worthwhile security software?
Click to expand...

+1

RonnyT · Jul 8, 2020

Krusty said: ↑
Code:
Mitigation   CryptoGuard
Timestamp    2020-07-04T22:45:48

Platform     10.0.19041/x64 v875 06_5e
PID          4628
Application  C:\Windows\System32\Dism.exe
Created      2020-06-10T04:13:20
Description  Dism Image Servicing Utility 10

Filename     C:\Windows\System32\Dism.exe

Detection    Generic.Ransom.C

Thumbprints
1234cb96f13b12fb8569b71710a0903b73466391fe298e0fd06bba3c0e6bcba8
Not at all helpfull when trying to create Macrium Reflect rescue media!
Click to expand...
Please use the Suppress Alert feature to prevent this from happening, we'll be looking in to improving things, but for now I would whitelist this locally.

RonnyT · Jul 8, 2020

feerf56 said: ↑

HitmanPro.Alert 3.8.6 Build 875 RC

I did not detect any of these, Kaspersky Virus Removal Tool.exe was running properly, HitmanPro.Alert did not inhibit Kaspersky from running, no signaling, I only saw an indication of the Microsoft Defender SmartScreen program. I do not understand.
Click to expand...

This is completely by design, this is a mitigation that does +Block +Log but not show a "Attack Intercepted" as that would be to intrusive for the user.
Let me explain this again: CredGuard SAM.

Program XYZ, tries to get access to the SAM registry, the part where your credentials are stored by Windows.
We deny the application access, and log the attempt.
The application continues to do it's job (instead of getting killed if we would raise the Attack Intercepted) and all is fine.

As a lot of legit applications do this because they use the windows API to do a full registry scan.
If for example an attacker would try this they it would be also logged.

So if coming from stuff installed on your machine and initiated by the user (e.g. regscanner from NirSoft) then there is nothing to worry about.
If there are entries that you cannot relate back to either Antivirus products or manual triggers then you might need to investigate.

Krusty · Jul 14, 2020

I just got this after, or as I was opening Enpass.

Code:

Mitigation   ROP
Timestamp    2020-07-15T01:51:29

Platform     10.0.19041/x64 v875 06_25
PID          8416
WoW          x86
Feature      003D1A361FBF01B6
Application  C:\Program Files (x86)\Enpass\Enpass.exe
Created      2020-05-20T00:22:12
Description  Enpass Password Manager 6.4.2

Callee Type  LoadLibrary
             sspicli.dll

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
MsgWaitForMultipleObjectsEx +0x4e   ~ RET* 0x00BE2D5F Enpass.exe           
0x76658E6E user32.dll                                                     
            0083fbff752b             ADD          [EBX+0x2b75fffb], AL
            8b5e04                   MOV          EBX, [ESI+0x4]
            8b16                     MOV          EDX, [ESI]
            8b8fd8000000             MOV          ECX, [EDI+0xd8]
            8d041a                   LEA          EAX, [EDX+EBX]
            3bc8                     CMP          ECX, EAX
            0f8cce000000             JL           0xbe2e49
            2bcb                     SUB          ECX, EBX
            c644240f01               MOV          BYTE [ESP+0xf], 0x1
            898fd8000000             MOV          [EDI+0xd8], ECX
            8b5c2410                 MOV          EBX, [ESP+0x10]
            8b542414                 MOV          EDX, [ESP+0x14]
            8b06                     MOV          EAX, [ESI]
            3b87d8000000             CMP          EAX, [EDI+0xd8]
            7e3f                     JLE          0xbe2dd9
            660f6e4604               MOVD         XMM0, [ESI+0x4]
                                 (E76B576E7B2F7035)


MsgWaitForMultipleObjectsEx +0x128   ~ RET  MsgWaitForMultipleObjectsEx +0x4c
0x76658F48 user32.dll                     0x76658E6C user32.dll           

GetOpenClipboardWindow +0x4d         RET  MsgWaitForMultipleObjectsEx +0x127
0x7665DAB5 user32.dll                     0x76658F47 user32.dll           

NtUserMsgWaitForMultipleObjectsEx +0xc   ~ RET  MsgWaitForMultipleObjectsEx +0x11a
0x76E8586C win32u.dll                     0x76658F3A user32.dll           

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  776DEB56 KernelBase.dll           LoadLibraryExW +0x156

2  74AED0D6 sspicli.dll             
            810d60a6af7400000040     OR           DWORD [0x74afa660], 0x40000000
            833d54a6af7400           CMP          DWORD [0x74afa654], 0x0
            740e                     JZ           0x74aed0f7
            68801eae74               PUSH         DWORD 0x74ae1e80
            6a04                     PUSH         0x4
            e853f8ffff               CALL         0x74aec948
            59                       POP          ECX
            59                       POP          ECX
            85f6                     TEST         ESI, ESI
            7923                     JNS          0x74aed11e
            8b4de4                   MOV          ECX, [EBP-0x1c]
            85c9                     TEST         ECX, ECX
            7405                     JZ           0x74aed107
            e8f89dffff               CALL         0x74ae6eff
            a1b8a6af74               MOV          EAX, [0x74afa6b8]
            85c0                     TEST         EAX, EAX

3  74AED1CF sspicli.dll             
4  74AED219 sspicli.dll             
5  74AE8AD3 sspicli.dll             
6  74AEDC15 sspicli.dll              GetUserNameExW +0x45
7  76D3E816 advapi32.dll             GetUserNameW +0x16
8  01154785 Enpass.exe             
9  0034FDEB Enpass.exe             
10 0C5CF378 (anonymous)             

Loaded Modules (98)
-----------------------------------------------------------------------------
00140000-030C6000 Enpass.exe (Sinew Software Systems P),
                  version: 6.4.2.0
77800000-779A2000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.207 (WinBuild.160101.0800)
76AF0000-76BE0000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.292 (WinBuild.160101.0800)
755E0000-756DD000 hmpalert.dll (SurfRight B.V.),
                  version: 3.8.6.875
775D0000-777E3000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
75D50000-75E4F000 CRYPT32.dll (Microsoft Corporation),
                  version: 10.0.19041.21 (WinBuild.160101.0800)
761B0000-762D0000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
77460000-77485000 IMM32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
76620000-767B3000 USER32.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
76E80000-76E98000 win32u.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
75F50000-75F73000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75E70000-75F4A000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
760D0000-7614B000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75F80000-76016000 OLEAUT32.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
76870000-76AF0000 combase.dll (Microsoft Corporation),
                  version: 10.0.19041.329 (WinBuild.160101.0800)
75C90000-75D4A000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
767C0000-7686F000 COMDLG32.dll (Microsoft Corporation),
                  version: 10.0.19041.329 (WinBuild.160101.0800)
76360000-7641F000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.19041.1 (WinBuild.160101.0800)
76DF0000-76E77000 shcore.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
76080000-760C5000 SHLWAPI.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
756E0000-75C89000 SHELL32.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
76EA0000-76F83000 ole32.dll (Microsoft Corporation),
                  version: 10.0.19041.84 (WinBuild.160101.0800)
76D20000-76D99000 ADVAPI32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
773D0000-77445000 sechost.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
762F0000-76353000 WS2_32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75E50000-75E69000 bcrypt.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
77490000-774E7000 WLDAP32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
77450000-77457000 Normaliz.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74D60000-74D6F000 WTSAPI32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73F30000-73F9D000 WINSPOOL.DRV (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73D20000-73F30000 COMCTL32.dll (Microsoft Corporation),
                  version: 6.10 (WinBuild.160101.0800)
73930000-739A4000 UxTheme.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
739B0000-739D4000 dwmapi.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74DF0000-74E22000 IPHLPAPI.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
755B0000-755C9000 MPR.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75590000-755A3000 NETAPI32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74ED0000-74EF5000 USERENV.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74EC0000-74EC8000 VERSION.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73CB0000-73D1E000 MSVCP140.dll (Microsoft Corporation),
                  version: 14.22.27821.0 built by: vcwrkspc
73C90000-73CA3000 VCRUNTIME140.dll (Microsoft Corporation),
                  version: 14.22.27821.0 built by: vcwrkspc
73C60000-73C88000 WINMM.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74D90000-74D9A000 CRYPTBASE.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75560000-7556B000 NETUTILS.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
75570000-7558D000 SRVCLI.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
774F0000-7754C000 bcryptPrimitives.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
73C50000-73C5A000 secur32.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74AE0000-74B01000 SSPICLI.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74B20000-74B72000 mswsock.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74EA0000-74EAF000 kernel.appcore.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74F50000-75557000 windows.storage.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
74F20000-74F43000 Wldp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74F00000-74F18000 profapi.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73AC0000-73C48000 dbghelp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73A90000-73AB6000 dbgcore.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73A30000-73A89000 UWPComponents.dll (),
                  version:
739E0000-73A21000 vccorlib140.DLL (Microsoft Corporation),
                  version: 14.22.27821.0 built by: vcwrkspc
77550000-775CE000 clbcatq.dll (Microsoft Corporation),
                  version: 2001.12.10941.16384 (WinBuild.160101.080
738E0000-73928000 CryptoWinRT.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73800000-738DE000 wintypes.dll (Microsoft Corporation),
                  version: 10.0.19041.329 (WinBuild.160101.0800)
737A0000-737F6000 cryptngc.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
748F0000-74911000 ncrypt.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74920000-74948000 NTASN1.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73780000-73799000 ngcksp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
73550000-7375C000 dwrite.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
73340000-734CE000 d3d9.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
76C40000-76D13000 MSCTF.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
73300000-73332000 dataexchange.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
73120000-73300000 d3d11.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72FB0000-73115000 dcomp.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
72EE0000-72FA2000 dxgi.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72D50000-72EE0000 twinapi.appcore.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
72C90000-72D49000 textinputframework.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72A10000-72C8E000 CoreUIComponents.dll (Microsoft Corporation),
                  version: 10.0.19041.1
72970000-72A0B000 CoreMessaging.dll (Microsoft Corporation),
                  version: 10.0.19041.264
72940000-72969000 ntmarta.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72790000-72938000 explorerframe.dll (Microsoft Corporation),
                  version: 10.0.19041.329 (WinBuild.160101.0800)
74D10000-74D57000 WINSTA.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72770000-72781000 napinsp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72750000-72766000 pnrpnsp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72740000-72750000 wshbth.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74E30000-74E46000 NLAapi.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74A50000-74AE0000 DNSAPI.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
762E0000-762E7000 NSI.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72730000-7273E000 winrnr.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72710000-7272B000 edputil.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
76DA0000-76DE7000 WINTRUST.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74EB0000-74EBE000 MSASN1.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
76C20000-76C39000 imagehlp.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74DD0000-74DE3000 CRYPTSP.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74DA0000-74DCF000 rsaenh.dll (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
72670000-72703000 mscms.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
73770000-7377C000 ColorAdapterClient.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
73510000-7354E000 icm32.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
73760000-73766000 msimg32.dll (Microsoft Corporation),
                  version: 10.0.19041.388 (WinBuild.160101.0800)
72500000-72594000 TextShaping.dll (),
                  version:
74C40000-74D02000 winhttp.dll (Microsoft Corporation),
                  version: 10.0.19041.264 (WinBuild.160101.0800)
74C20000-74C34000 dhcpcsvc6.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)
74C00000-74C16000 dhcpcsvc.DLL (Microsoft Corporation),
                  version: 10.0.19041.1 (WinBuild.160101.0800)

Process Trace
1  C:\Program Files (x86)\Enpass\Enpass.exe [8416] 2020-07-14T22:22:04
   "C:\Program Files (x86)\Enpass\Enpass.exe" -minimize
2  C:\Windows\explorer.exe [6704] 2020-07-14T22:21:16
3  C:\Windows\System32\userinit.exe [6628] 2020-07-14T22:21:15 37.3s
4  C:\Windows\System32\winlogon.exe [780] 2020-07-14T22:20:07
   winlogon.exe
5  C:\Windows\System32\smss.exe [660] 2020-07-14T22:20:07 157ms
   \SystemRoot\System32\smss.exe 00000080 00000084
6  C:\Windows\System32\smss.exe [416] 2020-07-14T22:20:02
   \SystemRoot\System32\smss.exe

Dropped Files
1  C:\Users\Dave\Documents\Enpass\Vaults\primary\vault.enpassdb-journal
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Enpass\Enpass.exe [8416]
2  C:\Users\Dave\Documents\Enpass\.settings\enpasssettings.db-journal
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Enpass\Enpass.exe [8416]
1  C:\Users\Dave\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000000a3.db
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
2  C:\Users\Dave\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000000a4.db
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
3  C:\Users\Dave\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
4  C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\Transcoded_000
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
5  C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
6  C:\Users\Dave\AppData\Local\Temp\{6AAF7231-5EF0-4792-9CA1-AD1A659A316D}.png
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
7  C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{3F1A511F-9B5A-29B5-228D-9EE19933451F}.png
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]
8  C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1366_768_POS4.jpg
     Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6704]

Thumbprints
2eef393e38f2d70f374005abe2d1ccb3204c64676f3b6ec4b63aaebfcafe5ca4

feerf56 · Jul 15, 2020

RonnyT said: ↑

This is completely by design, this is a mitigation that does +Block +Log but not show a "Attack Intercepted" as that would be to intrusive for the user.
Let me explain this again: CredGuard SAM.

Program XYZ, tries to get access to the SAM registry, the part where your credentials are stored by Windows.
We deny the application access, and log the attempt.
The application continues to do it's job (instead of getting killed if we would raise the Attack Intercepted) and all is fine.

As a lot of legit applications do this because they use the windows API to do a full registry scan.
If for example an attacker would try this they it would be also logged.

So if coming from stuff installed on your machine and initiated by the user (e.g. regscanner from NirSoft) then there is nothing to worry about.
If there are entries that you cannot relate back to either Antivirus products or manual triggers then you might need to investigate.
Click to expand...

Thank you for answer!
Köszönöm a választ!

deugniet · Aug 11, 2020

Logboeknaam: Application
Bron: Application Error
Datum: 11-8-2020 20:24:13
Gebeurtenis-id:1000
Taakcategorie: (100)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: xxxxx
Beschrijving:
Naam van toepassing met fout: hmpalert.exe, versie: 3.8.6.875, tijdstempel: 0x5efc9868
Naam van module met fout: hmpalert.dll, versie: 3.8.6.875, tijdstempel: 0x5efc919f
Uitzonderingscode: 0xc0000005
Foutmarge: 0x00016e56
Id van proces met fout: 0x12cc
Starttijd van toepassing met fout: 0x01d670084eecc61e
Pad naar toepassing met fout: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Pad naar module met fout: C:\Windows\System32\hmpalert.dll
Rapport-id: 8bdf07d0-9f57-4913-b8d5-88abc79da6b1
Volledige pakketnaam met fout:
Relatieve toepassings-id van pakket met fout:

Page42 · Aug 17, 2020

I wish HMP.A had a pause feature, but it looks to me like the only way to accomplish that is via Services. Otherwise, disabling the program appears to involve manually disabling Anti-Malware, Safe browsing, Exploit mitigation, and each individual Risk reduction category. Quite cumbersome. ESET NOD32, for example, allows users to pause protection for multiple incremental time periods or until reboot. Very convenient, and user-friendly. Again, it would be very helpful if HMP.A had this capability.

imdb · Aug 17, 2020

Page42 said: ↑

I wish HMP.A had a pause feature, but it looks to me like the only way to accomplish that is via Services. Otherwise, disabling the program appears to involve manually disabling Anti-Malware, Safe browsing, Exploit mitigation, and each individual Risk reduction category. Quite cumbersome. ESET NOD32, for example, allows users to pause protection for multiple incremental time periods or until reboot. Very convenient, and user-friendly. Again, it would be very helpful if HMP.A had this capability.
Click to expand...

+1. kaspersky has it too.

Tinstaafl · Aug 17, 2020

Page42 said: ↑

I wish HMP.A had a pause feature, but it looks to me like the only way to accomplish that is via Services. Otherwise, disabling the program appears to involve manually disabling Anti-Malware, Safe browsing, Exploit mitigation, and each individual Risk reduction category. Quite cumbersome. ESET NOD32, for example, allows users to pause protection for multiple incremental time periods or until reboot. Very convenient, and user-friendly. Again, it would be very helpful if HMP.A had this capability.
Click to expand...

I usually just temporarily uninstall HMPA, but that is quite cumbersome as it requires a reboot.

Page42 · Aug 17, 2020

imdb said: ↑

+1. kaspersky has it too.
Click to expand...

Yes. Probably all major AV's have a pause feature. Betcha HMP.A will say they don't do it because it makes it too easy for malware to disable the security program, but if that was the case, all of these AV companies are putting us at risk? Doubt it.

Tinstaafl said: ↑

I usually just temporarily uninstall HMPA, but that is quite cumbersome as it requires a reboot.
Click to expand...

I agree that uninstalling/installing is quite cumbersome. I'd go you one better and call it a PITA. I haven't yet tried disabling HitmanPro.Alert service, but that does seem to me to be the most efficient way to go about it. Anyone done that? I'll be doing it in a few days anyway, so I'll find out.

paulderdash · Aug 18, 2020

Page42 said: ↑

I agree that uninstalling/installing is quite cumbersome. I'd go you one better and call it a PITA. I haven't yet tried disabling HitmanPro.Alert service, but that does seem to me to be the most efficient way to go about it. Anyone done that? I'll be doing it in a few days anyway, so I'll find out.
Click to expand...

I think stopping, or disabling the service to survive reboot, does the trick. I'm pretty sure I've done that before.

They advised me stop the service before when troubleshooting under their guidance.

imdb · Aug 18, 2020

Page42 said: ↑

Yes. Probably all major AV's have a pause feature. Betcha HMP.A will say they don't do it because it makes it too easy for malware to disable the security program, but if that was the case, all of these AV companies are putting us at risk? Doubt it. ...
Click to expand...

yeah, i doubt it too. that's not an excuse.

imdb · Aug 18, 2020

paulderdash said: ↑

I think stopping, or disabling the service to survive reboot, does the trick. I'm pretty sure I've done that before.

They advised me stop the service before when troubleshooting under their guidance.
Click to expand...

what pause does is it stops/restarts its service to make things easier.

RonnyT · Aug 19, 2020

Page42 said: ↑

I wish HMP.A had a pause feature, but it looks to me like the only way to accomplish that is via Services. Otherwise, disabling the program appears to involve manually disabling Anti-Malware, Safe browsing, Exploit mitigation, and each individual Risk reduction category. Quite cumbersome. ESET NOD32, for example, allows users to pause protection for multiple incremental time periods or until reboot. Very convenient, and user-friendly. Again, it would be very helpful if HMP.A had this capability.
Click to expand...

Can you explain the "why" of this, for Internet security suites I can understand some form of "do not disturb/block all" during game mode or "disable AV for x minutes"
But why do you want to "pause" an anti-exploit/ransomware solution, just curious as there seems to be a underlying "why" here.

Page42 · Aug 19, 2020

RonnyT said: ↑

Can you explain the "why" of this, for Internet security suites I can understand some form of "do not disturb/block all" during game mode or "disable AV for x minutes"
But why do you want to "pause" an anti-exploit/ransomware solution, just curious as there seems to be a underlying "why" here.
Click to expand...

Well, it does seem a bit presumptuous of me to think I can explain such matters to a QA Engineer. So let me ask you, when a software program installation instruction advises a user to temporarily turn off security programs, why are they advising users to do that? Is it because they anticipate that the already-installed security might interfere with the process?

Tinstaafl · Aug 19, 2020

RonnyT said: ↑

Can you explain the "why" of this, for Internet security suites I can understand some form of "do not disturb/block all" during game mode or "disable AV for x minutes"
But why do you want to "pause" an anti-exploit/ransomware solution, just curious as there seems to be a underlying "why" here.
Click to expand...

"Why" for me is that's a normal routine here when something on my computer is acting up, to first want to rule out any possible interference by security software. Troubleshooting 101. That, followed by a clean boot, and related troubleshooting steps.

And I ALWAYS uninstall my 3rd party security software, and revert to Windows Defender prior to any Windows 10 Feature Update. Things go much more smoothly after the update that way, simply reinstall 3rd party security and done. Defender quietly slips into the background, as it should. It hasn't always worked that way for me when I left 3rd party security active during a major update.

Log in or Sign up

HitmanPro.ALERT Support and Discussion Thread

Dragon1952 Registered Member

Krusty Registered Member

BoerenkoolMetWorst Registered Member

RonnyT QA Engineer

Krusty Registered Member

feerf56 Registered Member

hayc59 Updates Team

Victek Registered Member

Tinstaafl Registered Member

paulderdash Registered Member

RonnyT QA Engineer

RonnyT QA Engineer

Krusty Registered Member

feerf56 Registered Member

deugniet Registered Member

Page42 Registered Member

imdb Registered Member

Tinstaafl Registered Member

Page42 Registered Member

paulderdash Registered Member

imdb Registered Member

imdb Registered Member

RonnyT QA Engineer

Page42 Registered Member

Tinstaafl Registered Member

Log in or Sign up

HitmanPro.ALERT Support and Discussion Thread

Dragon1952 Registered Member

Krusty Registered Member

BoerenkoolMetWorst Registered Member

RonnyT QA Engineer

Krusty Registered Member

feerf56 Registered Member

hayc59 Updates Team

Victek Registered Member

Tinstaafl Registered Member

paulderdash Registered Member

RonnyT QA Engineer

RonnyT QA Engineer

Krusty Registered Member

feerf56 Registered Member

deugniet Registered Member

Page42 Registered Member

imdb Registered Member

Tinstaafl Registered Member

Page42 Registered Member

paulderdash Registered Member

imdb Registered Member

imdb Registered Member

RonnyT QA Engineer

Page42 Registered Member

Tinstaafl Registered Member

Useful Searches