HitmanPro.Alert BETA

abbs · Nov 21, 2020

markloman said: ↑

HitmanPro.Alert 3.8.8 Build 887 Release Candidate
Click to expand...

Hi Mark,

Downloaded new version and installed over the old hen.
No problems encountered.

Windows 10 Pro 64bits versie 20H2 build 19042.630

XIII · Nov 21, 2020

Did not even have to uninstall the old version first this time!

HempOil · Nov 21, 2020

Hi Mark,

I downloaded and installed 3.8.8 Build 887 Release Candidate over 3.8.6 Build 875, as well. No issues to report.

I also run 8GadgetPack (I don't know how anyone can live without the Network Meter gadget). So far, no alerts have been generated.

Krusty · Nov 21, 2020

markloman said: ↑

ID: T1055.004
Tactics: Defense Evasion, Privilege Escalation
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL).
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

From the memory snippet in the alert details I can see that the APC is attempting to load this DLL into the SIDEBAR.EXE process: C:\Program Files (x86)\WiseVector\WiseVectorHelperOne_X64.dll. From another post here on WSF I've noticed it is legitimate software, even though their method is it not how you'd normally load code into other processes (I guess it's a good way to evade other product's defenses). I have published a new filter that allows WiseVector's specific code to run via APC. It may take a few hours for the new bloom to arrive.

Mark
Click to expand...

Thank you for taking the time to thoroughly explain what's happening, Mark. Greatly appreciated.

Cheers.

feerf56 · Nov 22, 2020

No problems upgrading from 875 to build 887 RC.

BoerenkoolMetWorst · Nov 22, 2020

markloman said: ↑

HitmanPro.Alert 3.8.8 Build 887 Release Candidate

Changes (compared to build 875)
Fixed:

CodeCave: coding error that could cause certain rare applications to crash

CodeCave: False alarms when application is packed with boxedApp packer

ACPProtection: False alarms when application is packed with boxedApp packer

ApiSetGuard: False alarms on a standard DLLMain implementation that does nothing but returning 0 or 1

CryptoGuard 5: False alarm in combination with Dropbox

CryptoGuard 5: False alarm when deleting many files on and endpoint protected by Bitdefender’s CryptoStore feature

HeapHeapProtect: Applications under attack could crash when the used shellcode caused an unaligned stack

Crash in Equation Editor when under attack, caused by Data Execution Prevention (DEP)

Italian string in Systray context menu

Improved:

Alert report now includes a list of services if a process runs as a service

CryptoGuard-only now also enables anti-malware

GUI: Added anti-malware menu item to settings menu

GUI: EULA on install dialog

Windows on ARM: Now offloads SHA-256 calculation to hardware via NEON instructions, resulting in 7 times performance boost

Windows on ARM: Fixed last scan timestamp

AmsiGuard: Now supports unloading of AMSI.DLL

ApplicationLockdown: Prevent execution of an Visual Basic file via EXPLORER.EXE from an Office application

CredGuardSAM: Prevent registry command line tool from dumping credentials

WipeGuard: Volume Boot Record (VBR) protection and alert details

Minifilter driver altitude, lowered from 345800 to 221600, to prevent third party minifilters from adversely affecting ransomware detection

Added:

HeapHeapProtect: Code running in dynamic memory, in RUNDLL32.EXE and REGSVR32.EXE, can no longer manipulate other dynamic memory. This proactively helps against many backdoor tools, trojans and ransomware families.

Tamper Protection by filtering process and thread handles against terminate, suspend and injection. Also added menu item to settings menu.

Automatic protection of Microsoft Access against exploitation

DLL Hijacking protection on HitmanPro malware scanner to prevent privilege escalation

Download
https://dl.surfright.nl/hmpalert3b887.exe

Please let us know how this build runs on your machine. Thanks!
Click to expand...

Good to see you back here!
No problems with upgrade on top on Win10 x64 1909.
AMD's Zen 3 now has Control-Flow Enforcement Technology, any chance HMP.A will do hardware supported migitation like with Intel?

markloman · Nov 24, 2020

BoerenkoolMetWorst said: ↑

Good to see you back here!
No problems with upgrade on top on Win10 x64 1909.
AMD's Zen 3 now has Control-Flow Enforcement Technology, any chance HMP.A will do hardware supported migitation like with Intel?
Click to expand...

CET is a different implementation of control flow integrity compared to ours. We've noticed the new features and we're diving into the details to see if we can leverage hardware features of AMD processor to enhance or mitigations. Thanks!

BoerenkoolMetWorst · Nov 25, 2020

markloman said: ↑

CET is a different implementation of control flow integrity compared to ours. We've noticed the new features and we're diving into the details to see if we can leverage hardware features of AMD processor to enhance or mitigations. Thanks!
Click to expand...

Good to hear!

Valdez · Dec 3, 2020

HitmanPro.Alert 3.8.8 Build 887 Release Candidate
In my opinion, this is the best release ever.
Thanks!

jmonge · Dec 3, 2020

Valdez said: ↑

HitmanPro.Alert 3.8.8 Build 887 Release Candidate
In my opinion, this is the best release ever.
Thanks!
Click to expand...

Do we need licence to try beta? Thanks for info

Krusty · Dec 4, 2020

jmonge said: ↑

Do we need licence to try beta? Thanks for info
Click to expand...

Yes, if you want the full features available.

jmonge · Dec 4, 2020

Krusty said: ↑

Yes, if you want the full features available.
Click to expand...

Thanks buddy

jmonge · Dec 4, 2020

I am ready to Rumbleeeee

RonnyT · Dec 8, 2020

HitmanPro.Alert 3.8.8 Build 889 Release Candidate

Changes (compared to build 887)
Fixed:

Stackpivot: FP on Chrome 88 and higher

Improved:

Heap Heap Protect shellcode detection

https://dl.surfright.nl/hmpalert3b889.exe

Please let us know how this build runs on your machine. Thanks!

deugniet · Dec 8, 2020

No problems upgrading to build 889.

paulderdash · Dec 8, 2020

deugniet said: ↑

No problems upgrading to build 889.
Click to expand...

+1. Windows as per sig.

jmonge · Dec 8, 2020

RonnyT said: ↑

HitmanPro.Alert 3.8.8 Build 889 Release Candidate

Changes (compared to build 887)
Fixed:

Stackpivot: FP on Chrome 88 and higher

Improved:

Heap Heap Protect shellcode detection

https://dl.surfright.nl/hmpalert3b889.exe

Please let us know how this build runs on your machine. Thanks!
Click to expand...

Thanks

abbs · Dec 9, 2020

RonnyT said: ↑

HitmanPro.Alert 3.8.8 Build 889 Release Candidate
Click to expand...

Downloaded new version and installed over the old hen.
No problems encountered.

Windows 10 Pro 64bits versie 20H2 build 19042.630[/QUOTE]

HempOil · Dec 9, 2020

abbs said: ↑

Downloaded new version and installed over the old one.
No problems encountered.
Click to expand...

Same for me!

L10090 · Dec 9, 2020

RonnyT said: ↑

HitmanPro.Alert 3.8.8 Build 889 Release Candidate
Please let us know how this build runs on your machine. Thanks!
Click to expand...

W7x64 prof. upgraded to build 889 from build 887, without a problem.

HempOil · Dec 9, 2020

I may have spoken too soon. I don't recall getting any pop-ups about this yesterday. However, today, I was perusing the Event Viewer and found them. They were generated when I uninstalled CrystalDiskInfo.

Code:

Mitigation   CodeCave
Timestamp    2020-12-08T17:38:25

Platform     10.0.19042/x64 v889 06_2a
PID          7948
WoW          x86
Feature      003D0A30000001A2
Application  C:\Program Files\CrystalDiskInfo\unins000.exe
Created      2020-09-30T13:16:38
Description  Setup/Uninstall 8.8.9

Extra data appended to file!

Data at offset: 00286600

00286600  A4 86 5F A5 94 BC CF 1E 73 76 91 4F 5A 59 29 8D  .._.....sv.OZY).
00286610  89 0C 66 16 49 6E 6E 6F 20 53 65 74 75 70 20 4D  ..f.Inno Setup M
00286620  65 73 73 61 67 65 73 20 28 36 2E 30 2E 30 29 20  essages (6.0.0)
00286630  28 75 29 00 00 00 00 00 00 00 00 00 00 00 00 00  (u).............
00286640  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00286650  00 00 00 00 F3 00 00 00 22 5B 00 00 DD A4 FF FF  ........"[......
00286660  E7 A4 CE 19 43 00 61 00 6E 00 63 00 65 00 6C 00  ....C.a.n.c.e.l.
00286670  20 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00   .i.n.s.t.a.l.l.
00286680  61 00 74 00 69 00 6F 00 6E 00 00 00 53 00 65 00  a.t.i.o.n...S.e.
00286690  6C 00 65 00 63 00 74 00 20 00 61 00 63 00 74 00  l.e.c.t. .a.c.t.
002866A0  69 00 6F 00 6E 00 00 00 26 00 49 00 67 00 6E 00  i.o.n...&.I.g.n.
002866B0  6F 00 72 00 65 00 20 00 74 00 68 00 65 00 20 00  o.r.e. .t.h.e. .
002866C0  65 00 72 00 72 00 6F 00 72 00 20 00 61 00 6E 00  e.r.r.o.r. .a.n.
002866D0  64 00 20 00 63 00 6F 00 6E 00 74 00 69 00 6E 00  d. .c.o.n.t.i.n.
002866E0  75 00 65 00 00 00 26 00 54 00 72 00 79 00 20 00  u.e...&.T.r.y. .
002866F0  61 00 67 00 61 00 69 00 6E 00 00 00 26 00 41 00  a.g.a.i.n...&.A.
00286700  62 00 6F 00 75 00 74 00 20 00 53 00 65 00 74 00  b.o.u.t. .S.e.t.
00286710  75 00 70 00 2E 00 2E 00 2E 00 00 00 25 00 31 00  u.p.........%.1.
00286720  20 00 76 00 65 00 72 00 73 00 69 00 6F 00 6E 00   .v.e.r.s.i.o.n.
00286730  20 00 25 00 32 00 0D 00 0A 00 25 00 33 00 0D 00   .%.2.....%.3...
00286740  0A 00 0D 00 0A 00 25 00 31 00 20 00 68 00 6F 00  ......%.1. .h.o.
00286750  6D 00 65 00 20 00 70 00 61 00 67 00 65 00 3A 00  m.e. .p.a.g.e.:.
00286760  0D 00 0A 00 25 00 34 00 00 00 00 00 41 00 62 00  ....%.4.....A.b.
00286770  6F 00 75 00 74 00 20 00 53 00 65 00 74 00 75 00  o.u.t. .S.e.t.u.

Loaded Modules (28)
-----------------------------------------------------------------------------
00400000-00695000 unins000.exe (Crystal Dew World       ),
                  version: 51.1052.0.0
77E50000-77FF3000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
74F70000-75070000 hmpalert.dll (SurfRight B.V.),
                  version: 3.8.8.889
75FD0000-760C0000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76FD0000-771E4000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
769F0000-76A9F000 comdlg32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76870000-7692F000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.19041.546 (WinBuild.160101.0800)
76440000-766C1000 combase.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
77350000-77470000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76930000-769EA000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.19041.630 (WinBuild.160101.0800)
761A0000-76227000 shcore.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
75D10000-75EA6000 USER32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
75FA0000-75FB8000 win32u.dll (Microsoft Corporation),
                  version: 10.0.19041.630 (WinBuild.160101.0800)
77B60000-77B83000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
77270000-7734A000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
76AA0000-76B1B000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76B20000-76B65000 SHLWAPI.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
77540000-77AF3000 SHELL32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
76230000-762C6000 oleaut32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
771F0000-7726A000 advapi32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
77D50000-77DC5000 sechost.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75EB0000-75F93000 ole32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75CE0000-75CF9000 mpr.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
741D0000-743E2000 COMCTL32.dll (Microsoft Corporation),
                  version: 6.10 (WinBuild.160101.0800)
75BC0000-75BC8000 version.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75CC0000-75CD3000 netapi32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75C90000-75C9B000 NETUTILS.DLL (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
767B0000-767D5000 IMM32.DLL (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)

SHA256: 
7e95c173b7b6cda0627a9c15ab6288aa026bc9481657817935242ebb42b0cbf8

Process Trace
1  C:\Program Files\CrystalDiskInfo\unins000.exe [7948] 2020-12-08T17:38:08
2  C:\Windows\ImmersiveControlPanel\SystemSettings.exe [9788] 2020-12-08T17:37:35
   "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
3  C:\Windows\System32\svchost.exe [748] 2020-12-08T17:35:17
   C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
4  C:\Windows\System32\services.exe [884] 2020-12-08T17:35:12
5  C:\Windows\System32\wininit.exe [804] 2020-12-08T17:35:12
   wininit.exe
6  C:\Windows\System32\smss.exe [548] 2020-12-08T17:35:06 5.8s
   \SystemRoot\System32\smss.exe 000000c0 00000084
7  C:\Windows\System32\smss.exe [468] 2020-12-08T17:35:04
   \SystemRoot\System32\smss.exe

Services
748  BrokerInfrastructure
748  DcomLaunch
748  Power
748  SystemEventsBroker

Dropped Files
1  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHRX104THTKRUQZ2P7LJ.temp
     Dropped by \Device\HarddiskVolume2\Windows\ImmersiveControlPanel\SystemSettings.exe [9788]
2  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF26ce9.TMP
     Dropped by \Device\HarddiskVolume2\Windows\ImmersiveControlPanel\SystemSettings.exe [9788]

Thumbprints
31d3b45cddb6d22b11ccd8d251f45e90496beb9aa918bd2e23eaa1dbb8927bff

Code:

Mitigation   CodeCave
Timestamp    2020-12-08T17:38:26

Platform     10.0.19042/x64 v889 06_2a
PID          7468
WoW          x86
Feature      003D0B30000003A2
Application  D:\TMP\_iu14D2N.tmp
Created      2020-12-08T17:38:25
Description  Setup/Uninstall 8.8.9

Extra data appended to file!

Data at offset: 00286600

00286600  A4 86 5F A5 94 BC CF 1E 73 76 91 4F 5A 59 29 8D  .._.....sv.OZY).
00286610  89 0C 66 16 49 6E 6E 6F 20 53 65 74 75 70 20 4D  ..f.Inno Setup M
00286620  65 73 73 61 67 65 73 20 28 36 2E 30 2E 30 29 20  essages (6.0.0)
00286630  28 75 29 00 00 00 00 00 00 00 00 00 00 00 00 00  (u).............
00286640  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00286650  00 00 00 00 F3 00 00 00 22 5B 00 00 DD A4 FF FF  ........"[......
00286660  E7 A4 CE 19 43 00 61 00 6E 00 63 00 65 00 6C 00  ....C.a.n.c.e.l.
00286670  20 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00   .i.n.s.t.a.l.l.
00286680  61 00 74 00 69 00 6F 00 6E 00 00 00 53 00 65 00  a.t.i.o.n...S.e.
00286690  6C 00 65 00 63 00 74 00 20 00 61 00 63 00 74 00  l.e.c.t. .a.c.t.
002866A0  69 00 6F 00 6E 00 00 00 26 00 49 00 67 00 6E 00  i.o.n...&.I.g.n.
002866B0  6F 00 72 00 65 00 20 00 74 00 68 00 65 00 20 00  o.r.e. .t.h.e. .
002866C0  65 00 72 00 72 00 6F 00 72 00 20 00 61 00 6E 00  e.r.r.o.r. .a.n.
002866D0  64 00 20 00 63 00 6F 00 6E 00 74 00 69 00 6E 00  d. .c.o.n.t.i.n.
002866E0  75 00 65 00 00 00 26 00 54 00 72 00 79 00 20 00  u.e...&.T.r.y. .
002866F0  61 00 67 00 61 00 69 00 6E 00 00 00 26 00 41 00  a.g.a.i.n...&.A.
00286700  62 00 6F 00 75 00 74 00 20 00 53 00 65 00 74 00  b.o.u.t. .S.e.t.
00286710  75 00 70 00 2E 00 2E 00 2E 00 00 00 25 00 31 00  u.p.........%.1.
00286720  20 00 76 00 65 00 72 00 73 00 69 00 6F 00 6E 00   .v.e.r.s.i.o.n.
00286730  20 00 25 00 32 00 0D 00 0A 00 25 00 33 00 0D 00   .%.2.....%.3...
00286740  0A 00 0D 00 0A 00 25 00 31 00 20 00 68 00 6F 00  ......%.1. .h.o.
00286750  6D 00 65 00 20 00 70 00 61 00 67 00 65 00 3A 00  m.e. .p.a.g.e.:.
00286760  0D 00 0A 00 25 00 34 00 00 00 00 00 41 00 62 00  ....%.4.....A.b.
00286770  6F 00 75 00 74 00 20 00 53 00 65 00 74 00 75 00  o.u.t. .S.e.t.u.

Loaded Modules (28)
-----------------------------------------------------------------------------
00400000-00695000 _iu14D2N.tmp (Crystal Dew World       ),
                  version: 51.1052.0.0
77E50000-77FF3000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
74F70000-75070000 hmpalert.dll (SurfRight B.V.),
                  version: 3.8.8.889
75FD0000-760C0000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76FD0000-771E4000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
769F0000-76A9F000 comdlg32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76870000-7692F000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.19041.546 (WinBuild.160101.0800)
76440000-766C1000 combase.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
77350000-77470000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76930000-769EA000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.19041.630 (WinBuild.160101.0800)
761A0000-76227000 shcore.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
75D10000-75EA6000 USER32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
75FA0000-75FB8000 win32u.dll (Microsoft Corporation),
                  version: 10.0.19041.630 (WinBuild.160101.0800)
77B60000-77B83000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
77270000-7734A000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.19041.572 (WinBuild.160101.0800)
76AA0000-76B1B000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
76B20000-76B65000 SHLWAPI.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
77540000-77AF3000 SHELL32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
76230000-762C6000 oleaut32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
771F0000-7726A000 advapi32.dll (Microsoft Corporation),
                  version: 10.0.19041.610 (WinBuild.160101.0800)
77D50000-77DC5000 sechost.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75EB0000-75F93000 ole32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75CE0000-75CF9000 mpr.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
741D0000-743E2000 COMCTL32.dll (Microsoft Corporation),
                  version: 6.10 (WinBuild.160101.0800)
75BC0000-75BC8000 version.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75CC0000-75CD3000 netapi32.dll (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
75C90000-75C9B000 NETUTILS.DLL (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)
767B0000-767D5000 IMM32.DLL (Microsoft Corporation),
                  version: 10.0.19041.546 (WinBuild.160101.0800)

SHA256: 
7e95c173b7b6cda0627a9c15ab6288aa026bc9481657817935242ebb42b0cbf8

Process Trace
1  D:\TMP\_iu14D2N.tmp [7468] 2020-12-08T17:38:25
   "D:\TMP\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\CrystalDiskInfo\unins000.exe" /FIRSTPHASEWND=$107A8
2  C:\Program Files\CrystalDiskInfo\unins000.exe [7948] 2020-12-08T17:38:08
3  C:\Windows\ImmersiveControlPanel\SystemSettings.exe [9788] 2020-12-08T17:37:35
   "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
4  C:\Windows\System32\svchost.exe [748] 2020-12-08T17:35:17
   C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
5  C:\Windows\System32\services.exe [884] 2020-12-08T17:35:12
6  C:\Windows\System32\wininit.exe [804] 2020-12-08T17:35:12
   wininit.exe
7  C:\Windows\System32\smss.exe [548] 2020-12-08T17:35:06 5.8s
   \SystemRoot\System32\smss.exe 000000c0 00000084
8  C:\Windows\System32\smss.exe [468] 2020-12-08T17:35:04
   \SystemRoot\System32\smss.exe

Services
748  BrokerInfrastructure
748  DcomLaunch
748  Power
748  SystemEventsBroker

Dropped Files
1  D:\TMP\_iu14D2N.tmp
     Dropped by \Device\HarddiskVolume2\Program Files\CrystalDiskInfo\unins000.exe [7948]
        Read by \Device\HarddiskVolume2\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1600]
                \Device\HarddiskVolume2\Program Files\VoodooShield\VoodooShieldService.exe [3564]
                \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0\MsMpEng.exe [3596]
                \Device\HarddiskVolume2\Program Files\VoodooShield\VoodooShield.exe [5596]
                \Device\HarddiskVolume4\TMP\_iu14D2N.tmp [7468]
1  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHRX104THTKRUQZ2P7LJ.temp
     Dropped by \Device\HarddiskVolume2\Windows\ImmersiveControlPanel\SystemSettings.exe [9788]
2  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF26ce9.TMP
     Dropped by \Device\HarddiskVolume2\Windows\ImmersiveControlPanel\SystemSettings.exe [9788]

Thumbprints
bcd9a359b02cb7dba87ca402b5f95b7576d098975d641993836ef4dc3dbaadd2

L10090 · Dec 11, 2020

Running W7-x64 professional hitmanpro.alert 3.8.8.build 889.

Starting November 30th ( probably the day I was automatically upgraded from build 797 to build 887) I got 950 events (up till now).
The events are all identical and related to file screensv.scr. VirusTotal reports no issues at all on this file.

What to do? Can I ignore/suppress this event?

paulderdash · Dec 12, 2020

Should have posted this here: https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-651#post-2973301

Tinstaafl · Mar 13, 2021

No posts here in 3 months? What's up folks?

jmonge · Mar 13, 2021

Tinstaafl said: ↑

No posts here in 3 months? What's up folks?
Click to expand...

I send them a msg and nothing

Log in or Sign up

HitmanPro.Alert BETA

abbs Registered Member

XIII Registered Member

HempOil Registered Member

Krusty Registered Member

feerf56 Registered Member

BoerenkoolMetWorst Registered Member

markloman Developer

BoerenkoolMetWorst Registered Member

Valdez Registered Member

jmonge Registered Member

Krusty Registered Member

jmonge Registered Member

jmonge Registered Member

RonnyT QA Engineer

deugniet Registered Member

paulderdash Registered Member

jmonge Registered Member

abbs Registered Member

HempOil Registered Member

L10090 Registered Member

HempOil Registered Member

L10090 Registered Member

paulderdash Registered Member

Tinstaafl Registered Member

jmonge Registered Member

Log in or Sign up

HitmanPro.Alert BETA

abbs Registered Member

XIII Registered Member

HempOil Registered Member

Krusty Registered Member

feerf56 Registered Member

BoerenkoolMetWorst Registered Member

markloman Developer

BoerenkoolMetWorst Registered Member

Valdez Registered Member

jmonge Registered Member

Krusty Registered Member

jmonge Registered Member

jmonge Registered Member

RonnyT QA Engineer

deugniet Registered Member

paulderdash Registered Member

jmonge Registered Member

abbs Registered Member

HempOil Registered Member

L10090 Registered Member

HempOil Registered Member

L10090 Registered Member

paulderdash Registered Member

Tinstaafl Registered Member

jmonge Registered Member

Useful Searches