HitmanPro.Alert BETA

Krusty · Mar 16, 2022

RonnyT said: ↑

Ok final try can you disable all options under orange?
Click to expand...

Nope, that didn't work either, Ronny.

RonnyT · Mar 16, 2022

Krusty said: ↑

Nope, that didn't work either, Ronny.
Click to expand...

Ok on exclude it is for now then, which version is it and where can I download for reproduction? default settings or tweaked?

Krusty · Mar 16, 2022

RonnyT said: ↑

Ok on exclude it is for now then, which version is it and where can I download for reproduction? default settings or tweaked?
Click to expand...

The free version from here:

https://www.brightfort.com/sbdownload_free.html

https://www.brightfort.net/downloads/spywareblastersetup60.exe

Version 6.0

Default, all protection enabled.

TheBear · Mar 16, 2022

RonnyT said: ↑

Try the Suppress Alert option on the event log please
Click to expand...

Did not work. Still getting the same error

RonnyT · Mar 16, 2022

TheBear said: ↑

Did not work. Still getting the same error
Click to expand...

The same? or similar? you might need to suppress a couple of attempts in some cases.

TheBear · Mar 16, 2022

RonnyT said: ↑

Please try the same, disable all options on process protection of the Orange button, see if it works, and if so enable the options on-by-one so we know which one causes the issue.

If that doesn't work you'll probably need to add Virtual box to exclusions for now.
Click to expand...

Disabled "unexpected system calls" and that did the trick.
thanks. Is that something that can be fixed?

RonnyT · Mar 16, 2022

TheBear said: ↑

Disabled "unexpected system calls" and that did the trick.
thanks. Is that something that can be fixed?
Click to expand...

Thanks for narrowing that down.
I'll be looking in to that tomorrow, but it needs a new build.

If it works by adding Virtual Box to exclusions then I'd go for that and enable Unexpected system calls again to have maximum protection.

TheBear · Mar 16, 2022

RonnyT said: ↑

Thanks for narrowing that down.
I'll be looking in to that tomorrow, but it needs a new build.

If it works by adding Virtual Box to exclusions then I'd go for that and enable Unexpected system calls again to have maximum protection.
Click to expand...

could you walk me though how to do that exclusion? thanks

RonnyT · Mar 16, 2022

TheBear said: ↑

could you walk me though how to do that exclusion? thanks
Click to expand...

you'll need to add one ore more vbox executables

https://hitmanpro.zendesk.com/hc/en...nPro-Alert-is-installed-how-can-I-solve-this-

TheBear · Mar 16, 2022

RonnyT said: ↑

you'll need to add one ore more vbox executables

https://hitmanpro.zendesk.com/hc/en...nPro-Alert-is-installed-how-can-I-solve-this-
Click to expand...

thanks I got it done.

deugniet · Mar 17, 2022

HollowProcess with Sandboxie Plus.

Code:

Mitigation   HollowProcess
Timestamp    2022-03-17T07:15:42

Platform     10.0.19044/x64 v935 06_4e
PID          10104
Service      SbieSvc
Feature      007D0A30000001AE
Application  C:\Program Files\Sandboxie-Plus\SbieSvc.exe
Created      2022-03-09T08:18:36
Description  Sandboxie Service 5.55.13

Target PID       6476
Target           C:\Program Files\Sandboxie-Plus\Start.exe
Target imagebase: 00007FF766150000
Attempt to write at: 00007FFACF584B00

Loaded Modules (27)
-----------------------------------------------------------------------------
00007FF77EA70000-00007FF77EACD000 SbieSvc.exe (Sandboxie-Plus.com),
                                  version: 5.55.13
00007FFACF510000-00007FFACF705000 ntdll.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFACD980000-00007FFACDA3E000 KERNEL32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFACC9D0000-00007FFACCAEA000 hmpalert.dll (SurfRight B.V.),
                                  version: 3.8.20.935
00007FFACCC30000-00007FFACCEF8000 KERNELBASE.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFACDCA0000-00007FFACDE40000 USER32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1503 (WinBuild.160101.0800)
00007FFACD3B0000-00007FFACD3D2000 win32u.dll (Microsoft Corporation),
                                  version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FFACD620000-00007FFACD64B000 GDI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FFACD100000-00007FFACD20B000 gdi32full.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFACD210000-00007FFACD2AD000 msvcp_win.dll (Microsoft Corporation),
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFACD2B0000-00007FFACD3B0000 ucrtbase.dll (Microsoft Corporation),
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFACEB50000-00007FFACEBFE000 ADVAPI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1466 (WinBuild.160101.0800)
00007FFACD660000-00007FFACD6FE000 msvcrt.dll (Microsoft Corporation),
                                  version: 7.0.19041.546 (WinBuild.160101.0800)
00007FFACD8E0000-00007FFACD97C000 sechost.dll (Microsoft Corporation),
                                  version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FFACDA40000-00007FFACDB65000 RPCRT4.dll (Microsoft Corporation),
                                  version: 10.0.19041.1466 (WinBuild.160101.0800)
00007FFACD650000-00007FFACD658000 PSAPI.DLL (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFACDB70000-00007FFACDC9A000 ole32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FFACE3C0000-00007FFACE714000 combase.dll (Microsoft Corporation),
                                  version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFACD410000-00007FFACD566000 CRYPT32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1320 (WinBuild.160101.0800)
0000000056B10000-0000000056BD2000 SbieDll.dll (Sandboxie-Plus.com),
                                  version: 5.55.13
00007FFACCB30000-00007FFACCB5E000 USERENV.dll (Microsoft Corporation),
                                  version: 10.0.19041.572 (WinBuild.160101.0800)
00007FFABAD40000-00007FFABAD5A000 NETAPI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FFAC9790000-00007FFAC97A4000 WTSAPI32.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFACBC60000-00007FFACBC79000 WKSCLI.DLL (Microsoft Corporation),
                                  version: 10.0.19041.1466 (WinBuild.160101.0800)
00007FFACC850000-00007FFACC8AA000 winsta.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFACBEC0000-00007FFACBEFB000 iphlpapi.dll (Microsoft Corporation),
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFABB590000-00007FFABB599000 pstorec.dll (Microsoft Corporation),
                                  version: 10.0.19041.1 (WinBuild.160101.0800)

Process Trace
1  C:\Program Files\Sandboxie-Plus\SbieSvc.exe [10104]
2  C:\Windows\System32\services.exe [900]
3  C:\Windows\System32\wininit.exe [796]
   wininit.exe

Services
10104  SbieSvc

Dropped Files

Thumbprints
1e0cbc1af7953b88254309128678689ef3455a5215250f9c040fa41782d4ffbc (pfn-wri)
c686921c949b09a7f4a4f80bca973df1761a2395d25629b00975ff5e22805cb5 (crt-wri)

deugniet · Mar 17, 2022

Disabling Hollow Process Mitigation: Sandboxie Plus works again.

paulderdash · Mar 17, 2022

RonnyT said: ↑

Ok on exclude it is for now then, which version is it and where can I download for reproduction? default settings or tweaked?
Click to expand...

I have SpywareBlaster installed, but no issue because already excluded (I exclude other security softs in HMPA).

RonnyT · Mar 17, 2022

deugniet said: ↑

Disabling Hollow Process Mitigation: Sandboxie Plus works again.
Click to expand...

Can you try just using Suppress Alert and see if that works

RonnyT · Mar 17, 2022

Krusty said: ↑

I cannot open SpywareBlaster . It is NOT a protected application.

I get the UAC prompt, then nothing x2 machines.

Edit: Added as an Excluded Application and SpywareBlaster opens.
Click to expand...

Confirmed reproduction, for now needs to be added to Excluded Application pending code fix.

RonnyT · Mar 17, 2022

TheBear said: ↑

Installed Hitmanpro.alert 3.8.20 build 935. Now when starting Virtual Box I get the virtual box exxor
Failed to open a session for the virtual machine me18avb3.

The virtual machine 'me18avb3' has terminated unexpectedly during startup with exit code -1073740768 (0xc0000420).

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}

From Hitmanpro.alert error:

Code:

The application is using a direct system call to evade inspection by AV/EDR defenses. The use of a direct syscall is highly unusual and an indication that the application is attempting to execute code without raising suspicion.

MITRE ATT&CK

Native API - ID: T1106, Tactic: Execution, Defense Evasion
Mitigation   SysCall
Timestamp    2022-03-16T22:32:44

Platform     10.0.22000/x64 v935 8f_71
PID          9176
Feature      007D0A30000000A6
Application  C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
Created      2022-01-24T22:03:29
Description  VirtualBox Virtual Machine 6.1.32

SecLvl: 1
Direct Syscall originating from: 00007FF6F1BFC7A4
*** ImageBasedCaller ***
OwnerModuleName: C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
OwnerModule is signed
Current process is signed

0x00007FF6F1BFC7A4  c3                       RET       

----- SNIP HERE -----
AAINAQDAv/H2fwAApMe/8fZ/AAAAwL/x9n8AAADABgBIi1XoTItF4EyLTdhMi1XQTItdyMnDDQTM/yXgXwsAiwXiXwsASYnKDwXDDQTMiwXSXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lvV8LAIsFv18LAEmJyg8Fww0EzIsFr18LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JZpfCwCLBZxfCwBJicoPBcMNBMyLBYxfCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yV3XwsAiwV5XwsASYnKDwXDDQTMiwVpXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lVF8LAIsFVl8LAEmJyg8Fww0EzIsFRl8LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JTFfCwCLBTNfCwBJicoPBcMNBMyLBSNfCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUOXwsAiwUQXwsASYnKDwXDDQTMiwUAXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l614LAIsF7V4LAEmJyg8Fww0EzIsF3V4LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JcheCwCLBcpeCwBJicoPBcMNBMyLBbpeCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWlXgsAiwWnXgsASYnKDwXDDQTMiwWXXgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lgl4LAIsFhF4LAEmJyg8Fww0EzIsFdF4LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JV9eCwCLBWFeCwBJicoPBcMNBMyLBVFeCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yU8XgsAiwU+XgsASYnKDwXDDQTMiwUuXgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lGV4LAIsFG14LAEmJyg8Fww0EzIsFC14LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JfZdCwCLBfhdCwBJicoPBcMNBMyLBehdCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXTXQsAiwXVXQsASYnKDwXDDQTMiwXFXQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lsF0LAIsFsl0LAEmJyg8Fww0EzIsFol0LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JY1dCwCLBY9dCwBJicoPBcMNBMyLBX9dCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVqXQsAiwVsXQsASYnKDwXDDQTMiwVcXQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lR10LAIsFSV0LAEmJyg8Fww0EzIsFOV0LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JSRdCwCLBSZdCwBJicoPBcMNBMyLBRZdCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUBXQsAiwUDXQsASYnKDwXDDQTMiwXzXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l3lwLAIsF4FwLAEmJyg8Fww0EzIsF0FwLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JbtcCwCLBb1cCwBJicoPBcMNBMyLBa1cCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWYXAsAiwWaXAsASYnKDwXDDQTMiwWKXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8ldVwLAIsFd1wLAEmJyg8Fww0EzIsFZ1wLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JVJcCwCLBVRcCwBJicoPBcMNBMyLBURcCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUvXAsAiwUxXAsASYnKDwXDDQTMiwUhXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lDFwLAIsFDlwLAEmJyg8Fww0EzIsF/lsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JelbCwCLBetbCwBJicoPBcMNBMyLBdtbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXGWwsAiwXIWwsASYnKDwXDDQTMiwW4WwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lo1sLAIsFpVsLAEmJyg8Fww0EzIsFlVsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JYBbCwCLBYJbCwBJicoPBcMNBMyLBXJbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVdWwsAiwVfWwsASYnKDwXDDQTMiwVPWwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lOlsLAIsFPFsLAEmJyg8Fww0EzIsFLFsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JRdbCwCLBRlbCwBJicoPBcMNBMyLBQlbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yX0WgsAiwX2WgsASYnKDwXDDQTMiwXmWgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l0VoLAIsF01oLAEmJyg8Fww0EzIsFw1oLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/Ja5aCwCLBbBaCwBJicoPBcMNBMyLBaBaCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWLWgsAiwWNWgsASYnKDwXDDQTMiwV9WgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8laFoLAIsFaloLAEmJyg8Fww0EzIsFDQJaCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVFWgsAiwVHWgsASYnKDwXDDQTMiwU3WgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lIloLAIsFJFoLAEmJyg8Fww0EzIsFFFoLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/Jf9ZCwCLBQFaCwBJicoPBcMNBMyLBfFZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXcWQsAiwXeWQsASYnKDwXDDQTMiwXOWQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8luVkLAIsFu1kLAEmJyg8Fww0EzIsFq1kLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JZZZCwCLBZhZCwBJicoPBcMNBMyLBYhZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVzWQsAiwV1WQsASYnKDwXDDQTMiwVlWQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lUFkLAIsFUlkLAEmJyg8Fww0EzIsFQlkLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JS1ZCwCLBS9ZCwBJicoPBcMNBMyLBR9ZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUKWQsAiwUMWQsASYnKDwXDDQTMiwX8WAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l51gLAIsF6VgLAEmJyg8Fww0EzIsF2VgLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JcRYCwCLBcZYCwBJicoPBcMNBMyLBbZYCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWhWAsAiwWjWAsASYnKDwXDDQTMiwWTWAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lflgLAIsFgFgLAEmJyg8Fww0EzIsFcFgLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JVtYCwCLBV1YCwBJicoPBcMNBMyLBU1YCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yU4WAsAiwU6WAsASYnKDwXDDQTMiwUqWAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lFVgLAIsFF1gLAEmJyg8Fww0EzIsFB1gLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JfJXCwCLBfRXCwBJicoPBcMNBMyLBeRXCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXPVwsAiwXRVwsASYnKDwXDDQTMiwXBVwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lrFcLAIsFrlcLAEmJyg8Fww0EzIsFnlcLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JYlXCwD/JYtXCwD/JY1XCwD/JY9XCwD/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwD/JZNXCwD/JZVXCwD/JZdXCwD/JZlXCwDMw/8lmVcLAMzD/yWZVwsA/yWbVwsA/yWdVwsA/yWfVwsA/yWhVwsA/yWjVwsA/yWlVwsA/yWnVwsA/yWpVwsAzMP/JalXCwD/JatXCwD/Ja1XCwDMw/8lrVcLAP8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMMNDcxIiVwkCEiJdCQQSIl8JBhJi9lFM8lJi/BMi9pIi/lMi9FIhdIPhGUCDQIAZg8fRA0CAEEPthKE0g+EUwINAgAPiTsCDQIAD7bCJOA8wHUHuQINAwDrQg+2wiTwPOB1B7kDDQMA6zIPtsIk+DzwdQe5BA0DAOsiD7bCJPw8+HUHuQUNAwDrEg+2wiT+PPwPhUoCDQIAuQYNAwBEi8FNO8MPhzkCDQIAi8GD6AJ0TP/IdDn/yHQm/8h0E//IdUtBD7ZCBSTAPIAPhRMCDQIAQQ+2QgQkwDyAD4UEAg0CAEEPtkIDJMA8gA+F9QENAgBBD7ZCAiTAPIAPheYBDQIAQQ+2QgEkwDyAD4XXAQ0CAIPpAg+ETQENAgD/yQ+E7A0DAP/JD4SrDQMA/8l0Xv/JD4VOAQ0CAEEPtkoBD7bCg+ABg+E/weAGC8hBD7ZCAoPgP8HhBgvIQQ+2QgOD4D/B4QYLyEEPtkIEg+A/weEGC8hBD7ZCBYPgP8HhBgvBBQ0DAPw9DQP/e+n2DQMAQQ+2SgEPtsKD4AOD4T/B4AYLyEEPtkICg+A/weEGC8hBD7ZCA4PgP8HhBgvIQQ+2QgSD4D/B4QYLwQUNAgDg/z0NAv/fA+mtDQMAQQ+2SgEPtsKD4AeD4T/B4AYLyEEPtkICg+A/weEGC8hBD7ZCA4PgP8HhBgvBBQ0CAA0C/z0NAv8eAOt0QQ+2SgEPtsKD4A+D4T/B4AYLyEEPtkICg+A/weEGC8iB
----- END SNIP -----

Loaded Modules (5)
-----------------------------------------------------------------------------
00007FF6F1BF0000-00007FF6F1D08000 VirtualBoxVM.exe (Oracle Corporation),
                                  version: 6.1.32.149290
00007FFB73730000-00007FFB7384A000 hmpalert.dll (SurfRight B.V.),
                                  version: 3.8.20.935
- MS skipped (3) -

Process Trace
1  C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe [9176]
   "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" --comment me18avb3 --startvm 97ce4e7d-de04-4b13-aa7b-3b4a2499736c --no-startvm-errormsgbox "--sup-hardening-log=\\as7004t\backups\VirtualBox VMs\VB1\me18avb3\Logs\VBoxHardening.log"
2  C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe [9328]
   "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
3  C:\Windows\System32\svchost.exe [1456]
   C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
4  C:\Windows\System32\services.exe [1320]
5  C:\Windows\System32\wininit.exe [1124]
   wininit.exe

Services
1456  BrokerInfrastructure
1456  DcomLaunch
1456  PlugPlay
1456  Power
1456  SystemEventsBroker

Dropped Files
1  C:\Users\jwyko\.VirtualBox\VBoxSVC.log
     Dropped by \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VBoxSVC.exe [9328]

Thumbprints
4c99bda7c796bb8f16e53e3f9d687e8a2a08fbc499968bb327327ac2f3b45de9 (pfn)
8116a0e14ec43087fcc39eb4667126e7f6ab3bc33b6afc676cbfab36bedebaf5 (pfn-crt)
2dd78676af800256d9824b89a9bd1e3135765a9a313deef3041fe8854a5487f3 (pfn-ownmod)


Any thoughts?

Click to expand...

Confirmed reproduction, for now needs to be added to Excluded Application pending code fix.

deugniet · Mar 17, 2022

RonnyT said: ↑

Can you try just using Suppress Alert and see if that works
Click to expand...

Suppress Alert works.

Valdez · Mar 17, 2022

Mitigation RemoteThreadGuard
Timestamp 2022-03-17T09:55:39

Platform 6.1.7601/x64 v935 06_2a
PID 1364
Service EapHost, gpsvc, MMCSS, ProfSvc, Schedule, SENS, ShellHWDetection, Themes
Feature 007D0B30000001AA
Application C:\Windows\System32\svchost.exe
Created 2014-10-22T10:18:39
Description Processo host per servizi di Windows 6.1

========================================================
== Current process information ==
========================================================
ImageBase: 00000000FF8E0000
SHA-256 93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8
SHA-1 619652b42afe5fb0e3719d7aeda7a5494ab193e8
MD5 c78655bc80301d76ed4fef1c1ea40a7d
Process does not have authenticode
Cannot retrieve subjectHash
========================================================
== Caller information ==
========================================================
Caller: 000007FEFA2750F2
Caller located on Heap: FALSE
OwnerModule: themeservice.dll
OwnerModule full path: c:\windows\system32\themeservice.dll
SHA-256 db9886c2c858faf45aea15f8e42860343f73eb8685c53ec2e8ccc10586cb0832
SHA-1 af0e3bcf1f56b5a89cdb2b1dca66a0140564c041
MD5 f0344071948d1a1fa732231785a0664c
Cannot retrieve subjectHash
========================================================
== Remote code information ==
========================================================
RemoteProcessName: C:\Windows\System32\winlogon.exe
RemoteProcessPID: 932
Code start: 000007FEF9853DC0
AllocationBase: 000007FEF9850000
AllocationProtect: 0x80
BaseAddress: 000007FEF9853000
RegionSize: 0x3000
State: 0x1000
Protect: 0x20
Type: 0x1000000
remoteMemOwnerProcessId: 0
remoteMemOwnerProcessName:
remoteMemOwnerAddressName:
Thread DP: N

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 0000000076E3BC36 ntdll.dll RtlAbortRXact +0x1e6
2 0000000076E3D370 ntdll.dll RtlCreateUserThread +0x70

3 000007FEFA2750F2 themeservice.dll
8bd8 MOV EBX, EAX
85c0 TEST EAX, EAX
0f88b5000000 JS 0x7fefa2751b1
4885ff TEST RDI, RDI
7406 JZ 0x7fefa275107
c70701000000 MOV DWORD [RDI], 0x1
488b8c2490000000 MOV RCX, [RSP+0x90]
4885c9 TEST RCX, RCX
7544 JNZ 0x7fefa275158
488b8c2498000000 MOV RCX, [RSP+0x98]
83caff OR EDX, -0x1
ff15abbfffff CALL QWORD [RIP-0x4055]
488b8c2498000000 MOV RCX, [RSP+0x98]

4 000007FEFA27467A themeservice.dll
5 000007FEFA271E6C themeservice.dll
6 000007FEFA276A45 themeservice.dll
7 000007FEFA276979 themeservice.dll
8 000007FEFA277953 themeservice.dll
9 0000000076DFD13B ntdll.dll
10 0000000076EE9BB7 ntdll.dll

Loaded Modules (69)
-----------------------------------------------------------------------------
00000000FF8E0000-00000000FF8EB000 svchost.exe (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
0000000076DF0000-0000000076F8F000 ntdll.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFC760000-000007FEFC87A000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.935
0000000076BD0000-0000000076CEF000 KERNEL32.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFCC20000-000007FEFCC87000 KERNELBASE.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFEBD0000-000007FEFEC6F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.7601.17744 (win7sp1_gdr.111215-1535)
000007FEFD8B0000-000007FEFD8CF000 sechost.dll (Microsoft Corporation),
version: 6.1.7601.18869 (win7sp1_gdr.150525-0603)
000007FEFE800000-000007FEFE92C000 RPCRT4.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFE9D0000-000007FEFEBCF000 ole32.dll (Microsoft Corporation),
version: 6.1.7601.24537 (win7sp1_ldr_escrow.19111
000007FEFED80000-000007FEFEDE7000 GDI32.dll (Microsoft Corporation),
version: 6.1.7601.24540 (win7sp1_ldr_escrow.19112
0000000076CF0000-0000000076DEA000 USER32.dll (Microsoft Corporation),
version: 6.1.7601.24546 (win7sp1_ldr_escrow.20012
000007FEFD9A0000-000007FEFD9AE000 LPK.dll (Microsoft Corporation),
version: 6.1.7601.24537 (win7sp1_ldr_escrow.19111
000007FEFD8D0000-000007FEFD99B000 USP10.dll (Microsoft Corporation),
version: 1.0626.7601.24535 (win7sp1_ldr_escrow.19
000007FEFE740000-000007FEFE76E000 IMM32.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFEC70000-000007FEFED7B000 MSCTF.dll (Microsoft Corporation),
version: 6.1.7601.24520 (win7sp1_ldr_escrow.19082
000007FEFC690000-000007FEFC69F000 CRYPTBASE.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFEFD0000-000007FEFF0AB000 ADVAPI32.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFB000000-000007FEFB01D000 mmcss.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFAE50000-000007FEFAE59000 AVRT.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA320000-000007FEFA3E6000 gpsvc.dll (Microsoft Corporation),
version: 6.1.7601.23452 (win7sp1_ldr.160512-0600)
000007FEFBA90000-000007FEFBAAB000 GPAPI.dll (Microsoft Corporation),
version: 6.1.7601.23452 (win7sp1_ldr.160512-0600)
000007FEFD100000-000007FEFD152000 WLDAP32.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFC410000-000007FEFC41B000 Secur32.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFC5C0000-000007FEFC5E5000 SSPICLI.DLL (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFE770000-000007FEFE778000 NSI.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFC200000-000007FEFC26D000 wevtapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA6E0000-000007FEFA6F6000 NETAPI32.dll (Microsoft Corporation),
version: 6.1.7601.17887 (win7sp1_gdr.120704-0720)
000007FEFA6D0000-000007FEFA6DC000 netutils.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFC2A0000-000007FEFC2C3000 srvcli.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFA6B0000-000007FEFA6C5000 wkscli.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFBD80000-000007FEFBDB0000 LOGONCLI.DLL (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFC270000-000007FEFC27A000 SYSNTFY.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA280000-000007FEFA295000 nlaapi.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
000007FEFA270000-000007FEFA280000 themeservice.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA260000-000007FEFA26C000 dsrole.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA220000-000007FEFA257000 profsvc.dll (Microsoft Corporation),
version: 6.1.7601.18706 (win7sp1_gdr.141218-1503)
000007FEFCD50000-000007FEFCE2B000 OLEAUT32.dll (Microsoft Corporation),
version: 6.1.7601.24537
000007FEFCCB0000-000007FEFCCCF000 USERENV.dll (Microsoft Corporation),
version: 6.1.7601.24535 (win7sp1_ldr_escrow.19110
000007FEFC910000-000007FEFC91F000 profapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE780000-000007FEFE7F1000 SHLWAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFA200000-000007FEFA219000 ATL.DLL (Microsoft Corporation),
version: 3.05.2284
000007FEFC650000-000007FEFC68D000 WINSTA.dll (Microsoft Corporation),
version: 6.1.7601.18540 (win7sp1_gdr.140716-150
000007FEFC740000-000007FEFC754000 RpcRtRemote.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFE930000-000007FEFE9C9000 CLBCatQ.DLL (Microsoft Corporation),
version: 2001.12.8530.16385 (win7_rtm.090713-1255
000007FEFBF90000-000007FEFBFA8000 CRYPTSP.dll (Microsoft Corporation),
version: 6.1.7601.24499 (win7sp1_ldr.190612-0600)
000007FEFA120000-000007FEFA12B000 slc.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFBC90000-000007FEFBCD7000 rsaenh.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA0C0000-000007FEFA0D4000 sens.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFD630000-000007FEFD67D000 WS2_32.dll (Microsoft Corporation),
version: 6.1.7601.23451 (win7sp1_ldr.160511-0600)
000007FEF9C40000-000007FEF9C5F000 eapsvc.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF9B90000-000007FEF9BDF000 eapphost.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFCAA0000-000007FEFCC0D000 CRYPT32.dll (Microsoft Corporation),
version: 6.1.7601.24542 (win7sp1_ldr_escrow.19120
000007FEFC920000-000007FEFC92F000 MSASN1.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF9A40000-000007FEF9A53000 umb.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFB1F0000-000007FEFB20D000 SAMLIB.dll (Microsoft Corporation),
version: 6.1.7601.23677 (win7sp1_ldr.170209-0600)
000007FEF95A0000-000007FEF95FE000 shsvcs.dll (Microsoft Corporation),
version: 6.1.7601.24542 (win7sp1_ldr_escrow.19120
000007FEFCA40000-000007FEFCA76000 CFGMGR32.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF9480000-000007FEF9593000 schedsvc.dll (Microsoft Corporation),
version: 6.1.7601.24470 (win7sp1_ldr_escrow.19060
000007FEFBBF0000-000007FEFBBFD000 pcwum.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFD9B0000-000007FEFE73B000 SHELL32.dll (Microsoft Corporation),
version: 6.1.7601.24468 (win7sp1_ldr_escrow.19052
000007FEFC1B0000-000007FEFC1DF000 AUTHZ.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFBBA0000-000007FEFBBD9000 UBPM.dll (Microsoft Corporation),
version: 6.1.7601.18741 (win7sp1_gdr.150202-1526)
000007FEF9470000-000007FEF947A000 ktmw32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA9A0000-000007FEFA9D4000 XmlLite.dll (Microsoft Corporation),
version: 1.3.1001.0
000007FEFEDF0000-000007FEFEFC7000 SETUPAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFC930000-000007FEFC94A000 DEVOBJ.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCA00000-000007FEFCA3B000 WINTRUST.dll (Microsoft Corporation),
version: 6.1.7601.24542 (win7sp1_ldr_escrow.19120
000007FEFBBE0000-000007FEFBBEA000 credssp.dll (Microsoft Corporation),
version: 6.1.7601.24545 (win7sp1_ldr_escrow.20010
000007FEFAE60000-000007FEFAEB6000 UxTheme.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF9410000-0031082FF9466000 FVEAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF9400000-0031082FF9409000 tbs.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF93F0000-000007FEF93F9000 FVECERTS.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)

Process Trace
1 C:\Windows\System32\svchost.exe [1364]
C:\Windows\system32\svchost.exe -k netsvcs
2 C:\Windows\System32\services.exe [900]
3 C:\Windows\System32\wininit.exe [836]
wininit.exe
4 C:\Windows\System32\smss.exe [776]
\SystemRoot\System32\smss.exe 00000000 00000058
5 C:\Windows\System32\smss.exe [572]
\SystemRoot\System32\smss.exe

Services
1364 EapHost
1364 gpsvc
1364 MMCSS
1364 ProfSvc
1364 Schedule
1364 SENS
1364 ShellHWDetection
1364 Themes

Dropped Files

Thumbprints
N/A

BoerenkoolMetWorst · Mar 17, 2022

No issues so far on Win10 x64 21H2

feerf56 · Mar 18, 2022

HitmanPro.Alert 8.20 Build 935

Mitigation SysCall
Timestamp 2022-03-18T16:02:25

Platform 10.0.22000/x64 v935 06_9e
PID 6388
Feature 007D0A30000001A2
Application C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe
Created 2022-03-17T17:41:58
Description C++ Application Development Framework 5.15.2

SecLvl: 1
Direct Syscall originating from: 00000290840CF734
*** RemoteAllocator ***
remoteOwnerProcessName: C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe
remoteOwnerModuleName: C:\Program Files\AMD\CNext\CNext\Qt5WebEngineCore.dll
remoteOwnerPID: 7424
remoteOwnerProcess is signed
remoteOwnerModule is not signed

0x00000290840CF734 c3 RET

----- SNIP HERE -----
AAICAQDwDISQAgAANPcMhJACAAAA8AyEkAIAAAAQAAACAAACAAACAAACAADgAwIGAKADAgYAiO3Pp3wCAwAOAgMAAgT/TIvRuFUCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDMCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuD0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuEwBAgIA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bgnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bg0AQICAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4LgECAgD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuA0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCQCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDACAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuC8CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCgCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCoCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAoUA
----- END SNIP -----

Loaded Modules (72)
-----------------------------------------------------------------------------
00007FF619290000-00007FF61932B000 QtWebEngineProcess.exe (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFDD1A0000-00007FFFDD2BA000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.935
00007FFFB44D0000-00007FFFB4AD6000 Qt5Core.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFF94FE0000-00007FFF9B404000 Qt5WebEngineCore.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFA66E0000-00007FFFA6AFA000 Qt5Quick.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFA5AC0000-00007FFFA6172000 Qt5Gui.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFBBEE0000-00007FFFBBF05000 Qt5WebChannel.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFA5700000-00007FFFA5AB9000 Qt5Qml.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFA6C30000-00007FFFA6D45000 Qt5Network.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFBB290000-00007FFFBB2E4000 Qt5Positioning.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFFAA920000-00007FFFAA991000 Qt5QmlModels.dll (The Qt Company Ltd.),
version: 5.15.2.0
- MS skipped (61) -

Code Injection
00000290840CF000-00000290840D0000 4KB C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
00007FFFE01A4000-00007FFFE01A5000 4KB
00007FFFE01A3000-00007FFFE01A4000 4KB
00007FFFE01A6000-00007FFFE01A7000 4KB
00007FFFE01A5000-00007FFFE01A6000 4KB

Process Trace
1 C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe [6388]
"C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMo
2 C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
"C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe" atlogon

Dropped Files
1 C:\Users\Asrock\AppData\Local\Microsoft\Windows\INetCache\IE\4M462QBR\version[1].json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
2 C:\Users\Asrock\AppData\Local\AMD_Common\addl_details_latest.json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
3 C:\Users\Asrock\AppData\Local\Microsoft\Windows\INetCache\IE\4M462QBR\DrvDldDetails_Consumer_WHQL_Win10[1].json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
4 C:\Users\Asrock\AppData\Local\AMD_Common\DrvDldDetails_Consumer_WHQL_Win10.json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
5 C:\Users\Asrock\AppData\Local\AMD\CN\restreamserverlist.json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
6 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG.old~RF6ad79.TMP
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
7 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
8 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Session Storage\LOG.old~RF6b9ae.TMP
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]
9 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Session Storage\LOG
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [7424]

Thumbprints
810af5e5b485b6aece639827e26999389ee9125ea60cc65e554a0da29cf75939 (pfn)

feerf56 · Mar 18, 2022

HitmanPro.Alert 8.20 Build 935

Mitigation Lockdown
Timestamp 2022-03-10T04:36:04

Platform 10.0.22000/x64 v923 06_9e
PID 17028
WoW x86
Feature 007D0A36000003B6
Application C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
Created 2022-03-10T04:35:54
Description Hard Disk Sentinel 6

Filename C:\WINDOWS\SYSTEM32\CSCRIPT.exe

Command line:
CSCRIPT //NOLOGO "C:\Users\Asrock\AppData\Roaming\Hard Disk Sentinel\hds_control_remove.vbs"

Loaded Modules (69)
-----------------------------------------------------------------------------
00400000-016D3000 HDSentinel.exe (H.D.S. Hungary),
version: 6.0.0.0
77BC0000-77D69000 ntdll.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76220000-76310000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
74A90000-74BA3000 hmpalert.dll (SurfRight B.V.),
version: 3.8.19.923
76A10000-76C62000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
6CAE0000-6CB80000 apphelp.dll (Microsoft Corporation),
version: 10.0.22000.282 (WinBuild.160101.0800)
759D0000-75B7C000 user32.dll (Microsoft Corporation),
version: 10.0.22000.282 (WinBuild.160101.0800)
76DC0000-76DDA000 win32u.dll (Microsoft Corporation),
version: 10.0.22000.37 (WinBuild.160101.0800)
77060000-77082000 GDI32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
76050000-7612F000 gdi32full.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
75F50000-75FCB000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75E20000-75F32000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75FD0000-7604C000 advapi32.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
774D0000-77592000 msvcrt.dll (Microsoft Corporation),
version: 7.0.22000.1 (WinBuild.160101.0800)
76560000-765DA000 sechost.dll (Microsoft Corporation),
version: 10.0.22000.556 (WinBuild.160101.0800)
76130000-761EB000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
76FC0000-7705C000 oleaut32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75B90000-75E1B000 combase.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76C70000-76DBD000 ole32.dll (Microsoft Corporation),
version: 10.0.22000.120 (WinBuild.160101.0800)
775A0000-77BA2000 shell32.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
766B0000-76770000 comdlg32.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76490000-76551000 shcore.dll (Microsoft Corporation),
version: 10.0.22000.71 (WinBuild.160101.0800)
76800000-7684A000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75920000-7593A000 mpr.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
750E0000-750E8000 version.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6E040000-6E263000 comctl32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
6FE20000-702A5000 wininet.dll (Microsoft Corporation),
version: 11.00.22000.282 (WinBuild.160101.0800)
6DCE0000-6DD54000 winspool.drv (Microsoft Corporation),
version: 10.0.22000.348 (WinBuild.160101.0800)
75900000-75915000 netapi32.dll (Microsoft Corporation),
version: 10.0.22000.556 (WinBuild.160101.0800)
6E860000-6E868000 wsock32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
76640000-766A4000 WS2_32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
53400000-53403000 icmp.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6F420000-6F451000 winmm.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
74E90000-74EB4000 iphlpapi.DLL (Microsoft Corporation),
version: 10.0.22000.282 (WinBuild.160101.0800)
761F0000-76215000 IMM32.DLL (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6EF10000-6EF92000 uxtheme.dll (Microsoft Corporation),
version: 10.0.22000.120 (WinBuild.160101.0800)
76EE0000-76FBA000 MSCTF.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
77090000-774CB000 setupapi.dll (Microsoft Corporation),
version: 10.0.22000.469 (WinBuild.160101.0800)
6DBA0000-6DBD6000 newdev.dll (Microsoft Corporation),
version: 6.0.5054.0
74090000-740CB000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6E890000-6E89B000 WOFUTIL.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
73690000-736B4000 DEVOBJ.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6E820000-6E832000 DEVRTL.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
56160000-561F3000 HHCtrl.OCX (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6CC40000-6CC80000 pdh.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6CA80000-6CA99000 olepro32.dll (Microsoft Corporation),
version: 10.0.22000.65 (WinBuild.160101.0800)
750B0000-750C2000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.22000.71 (WinBuild.160101.0800)
76940000-769A4000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.22000.376 (WinBuild.160101.0800)
6E500000-6E596000 TextShaping.dll (),
version:
6EB30000-6EB8B000 Fwpuclnt.dll (Microsoft Corporation),
version: 10.0.22000.258 (WinBuild.160101.0800)
75B80000-75B87000 Normaliz.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6DB70000-6DB7E000 perfdisk.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6CBB0000-6CBBF000 WMICLNT.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
768E0000-76931000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76DE0000-76EDE000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.22000.348 (WinBuild.160101.0800)
750D0000-750DE000 MSASN1.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6C870000-6C9D0000 WindowsCodecs.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6E420000-6E426000 RICHED32.DLL (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6CA00000-6CA7F000 RICHED20.dll (Microsoft Corporation),
version: 5.31.23.1231
6E800000-6E817000 USP10.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
56250000-56281000 msls31.dll (Microsoft Corporation),
version: 3.10.349.0
76850000-768D2000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
6C820000-6C86E000 dataexchange.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6C620000-6C818000 twinapi.appcore.dll (Microsoft Corporation),
version: 10.0.22000.469 (WinBuild.160101.0800)
74D30000-74D55000 SspiCli.dll (Microsoft Corporation),
version: 10.0.22000.556 (WinBuild.160101.0800)
750F0000-7510F000 USERENV.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75110000-75128000 profapi.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75220000-758C2000 windows.storage.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
75130000-7521A000 wintypes.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
"C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe" /firstrun
2 C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
"C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp" /SL5="$809C8,35889865,56832,C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe" /SPAWNWND=$609B6 /NOTIFYWND=$709F0
3 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
"C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe" /SPAWNWND=$609B6 /NOTIFYWND=$709F0
4 C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp [14196]
"C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp" /SL5="$709F0,35889865,56832,C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe"
5 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
6 C:\Program Files\WinRAR\WinRAR.exe [15724]
"C:\Program Files\WinRAR\WinRAR.exe" "D:\DOWNLOAD\hdsentinel_pro_setup.zip"
7 C:\Windows\explorer.exe [8552]

Dropped Files
1 C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.ini
Dropped by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
1 C:\Program Files (x86)\Hard Disk Sentinel\is-F1H5B.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
2 C:\Program Files (x86)\Hard Disk Sentinel\is-OVOR5.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
3 C:\Program Files (x86)\Hard Disk Sentinel\is-E7VIF.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
4 C:\Program Files (x86)\Hard Disk Sentinel\is-OOAQB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
5 C:\Program Files (x86)\Hard Disk Sentinel\is-V9R1U.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
6 C:\Program Files (x86)\Hard Disk Sentinel\is-M8C94.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
7 C:\Program Files (x86)\Hard Disk Sentinel\is-DDAJA.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
8 C:\Program Files (x86)\Hard Disk Sentinel\is-9HJ5E.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
9 C:\Program Files (x86)\Hard Disk Sentinel\is-47QSD.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
10 C:\Program Files (x86)\Hard Disk Sentinel\is-CVPSH.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
11 C:\Program Files (x86)\Hard Disk Sentinel\is-2OMVC.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
12 C:\Program Files (x86)\Hard Disk Sentinel\is-A4QOS.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
13 C:\Program Files (x86)\Hard Disk Sentinel\is-52HGH.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
14 C:\Program Files (x86)\Hard Disk Sentinel\is-PSU05.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
15 C:\Program Files (x86)\Hard Disk Sentinel\is-GVACG.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
16 C:\Program Files (x86)\Hard Disk Sentinel\is-V9M1C.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
17 C:\Program Files (x86)\Hard Disk Sentinel\is-6KSU2.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
18 C:\Program Files (x86)\Hard Disk Sentinel\is-EU6IN.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
19 C:\Program Files (x86)\Hard Disk Sentinel\is-AG2KB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
20 C:\Program Files (x86)\Hard Disk Sentinel\is-OSHVN.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
21 C:\Program Files (x86)\Hard Disk Sentinel\is-I5M8N.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
22 C:\Program Files (x86)\Hard Disk Sentinel\is-J1970.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
23 C:\Program Files (x86)\Hard Disk Sentinel\is-6A3KO.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
24 C:\Program Files (x86)\Hard Disk Sentinel\is-7EQ8K.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
25 C:\Program Files (x86)\Hard Disk Sentinel\is-6OFO8.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
26 C:\Program Files (x86)\Hard Disk Sentinel\is-NNP3O.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
27 C:\Program Files (x86)\Hard Disk Sentinel\is-245FC.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
28 C:\Program Files (x86)\Hard Disk Sentinel\is-LBV4R.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
29 C:\Program Files (x86)\Hard Disk Sentinel\is-T7IOE.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
30 C:\Program Files (x86)\Hard Disk Sentinel\is-A8T3L.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
31 C:\Program Files (x86)\Hard Disk Sentinel\is-DL2A1.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
32 C:\Program Files (x86)\Hard Disk Sentinel\is-D3RH5.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
33 C:\Program Files (x86)\Hard Disk Sentinel\is-DMTP1.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
34 C:\Program Files (x86)\Hard Disk Sentinel\is-DG5LI.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
35 C:\Program Files (x86)\Hard Disk Sentinel\is-2D4EF.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
36 C:\Program Files (x86)\Hard Disk Sentinel\is-U9QUA.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
37 C:\Program Files (x86)\Hard Disk Sentinel\is-EG2DO.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
38 C:\Program Files (x86)\Hard Disk Sentinel\is-I92S5.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
39 C:\Program Files (x86)\Hard Disk Sentinel\is-JGKAD.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
40 C:\Program Files (x86)\Hard Disk Sentinel\is-QOVH1.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
41 C:\Program Files (x86)\Hard Disk Sentinel\is-BN3EB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
42 C:\Program Files (x86)\Hard Disk Sentinel\is-BNQE6.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
43 C:\Program Files (x86)\Hard Disk Sentinel\is-936FK.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
44 C:\Program Files (x86)\Hard Disk Sentinel\is-DD823.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
45 C:\Program Files (x86)\Hard Disk Sentinel\is-V8IMJ.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
46 C:\Program Files (x86)\Hard Disk Sentinel\is-4UTME.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
47 C:\Program Files (x86)\Hard Disk Sentinel\is-2K9JR.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
48 C:\Program Files (x86)\Hard Disk Sentinel\is-K1LU7.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
49 C:\Program Files (x86)\Hard Disk Sentinel\is-OGF68.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
50 C:\Program Files (x86)\Hard Disk Sentinel\is-5HVJK.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
51 C:\Program Files (x86)\Hard Disk Sentinel\is-3SKGR.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
52 C:\Program Files (x86)\Hard Disk Sentinel\is-E3J65.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
53 C:\Program Files (x86)\Hard Disk Sentinel\is-BA311.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
54 C:\Program Files (x86)\Hard Disk Sentinel\is-QLAOH.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
55 C:\Program Files (x86)\Hard Disk Sentinel\is-NSK4B.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
56 C:\Program Files (x86)\Hard Disk Sentinel\is-PAOEM.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
57 C:\Program Files (x86)\Hard Disk Sentinel\is-5P1EM.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
58 C:\Program Files (x86)\Hard Disk Sentinel\is-1QNBS.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
59 C:\Program Files (x86)\Hard Disk Sentinel\is-TBPG4.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
60 C:\Program Files (x86)\Hard Disk Sentinel\is-U6J0I.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
61 C:\Program Files (x86)\Hard Disk Sentinel\is-KB4R0.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
62 C:\Program Files (x86)\Hard Disk Sentinel\is-RB18E.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
63 C:\Program Files (x86)\Hard Disk Sentinel\is-O97PT.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
64 C:\Program Files (x86)\Hard Disk Sentinel\is-LGAOG.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
65 C:\Program Files (x86)\Hard Disk Sentinel\is-3JCLN.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
66 C:\Program Files (x86)\Hard Disk Sentinel\is-HCTSV.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
67 C:\Program Files (x86)\Hard Disk Sentinel\is-BT2BF.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
68 C:\Program Files (x86)\Hard Disk Sentinel\is-OI879.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
69 C:\Program Files (x86)\Hard Disk Sentinel\is-NDRIH.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
70 C:\Program Files (x86)\Hard Disk Sentinel\is-9OIC5.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
71 C:\Program Files (x86)\Hard Disk Sentinel\is-8QQIH.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
72 C:\Program Files (x86)\Hard Disk Sentinel\is-LJQHK.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
73 C:\Program Files (x86)\Hard Disk Sentinel\is-MSL99.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
74 C:\Program Files (x86)\Hard Disk Sentinel\is-V89CR.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
75 C:\Program Files (x86)\Hard Disk Sentinel\is-2KU0S.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
Read by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [17028]
76 C:\Program Files (x86)\Hard Disk Sentinel\is-9QTG9.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
77 C:\Program Files (x86)\Hard Disk Sentinel\is-KDSLL.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
78 C:\Program Files (x86)\Hard Disk Sentinel\is-8M99N.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
79 C:\Program Files (x86)\Hard Disk Sentinel\is-8H4C7.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
80 C:\Program Files (x86)\Hard Disk Sentinel\is-AHVG1.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
81 C:\Program Files (x86)\Hard Disk Sentinel\is-1QHND.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
82 C:\Program Files (x86)\Hard Disk Sentinel\is-QNA1H.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
83 C:\Program Files (x86)\Hard Disk Sentinel\is-4DTEB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
84 C:\Program Files (x86)\Hard Disk Sentinel\is-F37HK.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
85 C:\Program Files (x86)\Hard Disk Sentinel\is-7EFIA.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
86 C:\Program Files (x86)\Hard Disk Sentinel\is-Q2B72.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
87 C:\Program Files (x86)\Hard Disk Sentinel\is-C8V4V.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
88 C:\Program Files (x86)\Hard Disk Sentinel\is-KOR9P.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
89 C:\Program Files (x86)\Hard Disk Sentinel\is-U9AE4.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
90 C:\Program Files (x86)\Hard Disk Sentinel\is-RLA11.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
91 C:\Program Files (x86)\Hard Disk Sentinel\is-OMJHS.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
92 C:\Program Files (x86)\Hard Disk Sentinel\is-UI519.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
93 C:\Program Files (x86)\Hard Disk Sentinel\is-K8DMI.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
94 C:\Program Files (x86)\Hard Disk Sentinel\is-O6NA7.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
95 C:\Program Files (x86)\Hard Disk Sentinel\is-SQ6QP.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
96 C:\Program Files (x86)\Hard Disk Sentinel\is-PTPKR.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
97 C:\Program Files (x86)\Hard Disk Sentinel\is-A9PRC.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
98 C:\Program Files (x86)\Hard Disk Sentinel\is-0KDHB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
99 C:\Program Files (x86)\Hard Disk Sentinel\is-2FL9F.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
100 C:\Program Files (x86)\Hard Disk Sentinel\is-Q8UL7.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
101 C:\Program Files (x86)\Hard Disk Sentinel\is-3O2GB.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
102 C:\Program Files (x86)\Hard Disk Sentinel\is-8V6P6.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
103 C:\Program Files (x86)\Hard Disk Sentinel\is-MLPBL.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
104 C:\Program Files (x86)\Hard Disk Sentinel\is-4JG77.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
105 C:\Program Files (x86)\Hard Disk Sentinel\is-6FCD7.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
106 C:\Program Files (x86)\Hard Disk Sentinel\is-73IOG.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
107 C:\Program Files (x86)\Hard Disk Sentinel\is-P9PJ4.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
108 C:\Program Files (x86)\Hard Disk Sentinel\is-CP73G.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
109 C:\Program Files (x86)\Hard Disk Sentinel\is-JBBDN.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
110 C:\Program Files (x86)\Hard Disk Sentinel\is-AVCPV.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
111 C:\Program Files (x86)\Hard Disk Sentinel\is-C3MLJ.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
112 C:\Program Files (x86)\Hard Disk Sentinel\is-DVUMS.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
113 C:\Program Files (x86)\Hard Disk Sentinel\is-6E0HJ.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
114 C:\Program Files (x86)\Hard Disk Sentinel\is-TKHSE.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
115 C:\Program Files (x86)\Hard Disk Sentinel\is-43PCR.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
116 C:\Program Files (x86)\Hard Disk Sentinel\is-FQR23.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
117 C:\Program Files (x86)\Hard Disk Sentinel\is-MFNSK.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
118 C:\programdata\microsoft\windows\start menu\programs\hard disk sentinel\hard disk sentinel.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
119 C:\programdata\microsoft\windows\start menu\programs\hard disk sentinel\start service.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
120 C:\programdata\microsoft\windows\start menu\programs\hard disk sentinel\stop service.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
121 C:\programdata\microsoft\windows\start menu\programs\hard disk sentinel\hard disk sentinel tray.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
122 C:\programdata\microsoft\windows\start menu\programs\hard disk sentinel\hard disk sentinel eltÃ¡volÃtÃ¡sa.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
123 C:\Users\Asrock\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hard Disk Sentinel.lnk
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
124 C:\Program Files (x86)\Hard Disk Sentinel\unins000.msg
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
1 C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
Read by \Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
1 C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
Read by \Device\HarddiskVolume8\Program Files\ESET\ESET Security\ekrn.exe [2044]
\Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
1 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe
Dropped by \Device\HarddiskVolume8\Program Files\WinRAR\WinRAR.exe [15724]
Read by \Device\HarddiskVolume8\Windows\System32\svchost.exe [8916]
\Device\HarddiskVolume8\Program Files\ESET\ESET Security\ekrn.exe [2044]
\Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp [14196]
1 C:\Users\Asrock\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000507.db
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
2 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
3 C:\Users\Asrock\AppData\Local\Temp\Asrock.bmp
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
4 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_2560_1440_POS0.jpg
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
5 C:\Users\Asrock\AppData\Local\Temp\{E4268DC8-C2FF-4144-A59A-71FD3C888C78}.png
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\System32\svchost.exe [6224]
6 C:\Users\Asrock\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{09A47DFD-8F23-1120-00AA-180DAEE30122}.png
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
7 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Recent\hdsentinel_pro_setup.zip.lnk
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
8 C:\Users\Asrock\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000508.db
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]

Thumbprints
433d7d7141c312f42b95d52d17144245d924ae1de72a0ecc2149af2703d7383e

Mitigation Lockdown
Timestamp 2022-03-10T04:35:54

Platform 10.0.22000/x64 v923 06_9e
PID 16148
WoW x86
Feature 007D0A36000001B6
Application C:\Program Files (x86)\Hard Disk Sentinel\hdsctrl.exe
Created 2021-01-22T04:50:06
Description Hard Disk Sentinel Control 5

Filename C:\WINDOWS\SYSTEM32\CSCRIPT.exe

Command line:
CSCRIPT //NOLOGO "C:\Users\Asrock\AppData\Roaming\Hard Disk Sentinel\hds_control_remove.vbs"

Loaded Modules (39)
-----------------------------------------------------------------------------
00400000-00B97000 HDSCtrl.EXE (H.D.S. Hungary),
version: 5.70.0.0
77BC0000-77D69000 ntdll.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76220000-76310000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
74A90000-74BA3000 hmpalert.dll (SurfRight B.V.),
version: 3.8.19.923
76A10000-76C62000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
6CAE0000-6CB80000 apphelp.dll (Microsoft Corporation),
version: 10.0.22000.282 (WinBuild.160101.0800)
75FD0000-7604C000 advapi32.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
774D0000-77592000 msvcrt.dll (Microsoft Corporation),
version: 7.0.22000.1 (WinBuild.160101.0800)
76560000-765DA000 sechost.dll (Microsoft Corporation),
version: 10.0.22000.556 (WinBuild.160101.0800)
76130000-761EB000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.22000.434 (WinBuild.160101.0800)
77060000-77082000 gdi32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
76DC0000-76DDA000 win32u.dll (Microsoft Corporation),
version: 10.0.22000.37 (WinBuild.160101.0800)
76050000-7612F000 gdi32full.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
75F50000-75FCB000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75E20000-75F32000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
759D0000-75B7C000 USER32.dll (Microsoft Corporation),
version: 10.0.22000.282 (WinBuild.160101.0800)
76C70000-76DBD000 ole32.dll (Microsoft Corporation),
version: 10.0.22000.120 (WinBuild.160101.0800)
75B90000-75E1B000 combase.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76FC0000-7705C000 oleaut32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
775A0000-77BA2000 shell32.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
6E040000-6E263000 comctl32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
750E0000-750E8000 version.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
761F0000-76215000 IMM32.DLL (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6EF10000-6EF92000 uxtheme.dll (Microsoft Corporation),
version: 10.0.22000.120 (WinBuild.160101.0800)
76EE0000-76FBA000 MSCTF.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
77090000-774CB000 setupapi.dll (Microsoft Corporation),
version: 10.0.22000.469 (WinBuild.160101.0800)
6DBA0000-6DBD6000 newdev.dll (Microsoft Corporation),
version: 6.0.5054.0
76490000-76551000 shcore.dll (Microsoft Corporation),
version: 10.0.22000.71 (WinBuild.160101.0800)
74090000-740CB000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6DB70000-6DB7B000 WOFUTIL.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
73690000-736B4000 DEVOBJ.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
6CC20000-6CC32000 DEVRTL.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
750B0000-750C2000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.22000.71 (WinBuild.160101.0800)
76940000-769A4000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.22000.376 (WinBuild.160101.0800)
750F0000-7510F000 USERENV.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75110000-75128000 profapi.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)
75220000-758C2000 windows.storage.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
75130000-7521A000 wintypes.dll (Microsoft Corporation),
version: 10.0.22000.527 (WinBuild.160101.0800)
76800000-7684A000 shlwapi.dll (Microsoft Corporation),
version: 10.0.22000.1 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files (x86)\Hard Disk Sentinel\hdsctrl.exe [16148]
"C:\Program Files (x86)\Hard Disk Sentinel\HDSCtrl.EXE" /terminate
2 C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
"C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp" /SL5="$809C8,35889865,56832,C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe" /SPAWNWND=$609B6 /NOTIFYWND=$709F0
3 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
"C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe" /SPAWNWND=$609B6 /NOTIFYWND=$709F0
4 C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp [14196]
"C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp" /SL5="$709F0,35889865,56832,C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe"
5 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
6 C:\Program Files\WinRAR\WinRAR.exe [15724]
"C:\Program Files\WinRAR\WinRAR.exe" "D:\DOWNLOAD\hdsentinel_pro_setup.zip"
7 C:\Windows\explorer.exe [8552]

Dropped Files
1 C:\Users\Asrock\AppData\Roaming\Hard Disk Sentinel\hds_control_remove.vbs
Dropped by \Device\HarddiskVolume8\Program Files (x86)\Hard Disk Sentinel\hdsctrl.exe [16148]
1 C:\Users\Asrock\AppData\Local\Temp\is-2KAM4.tmp\_isetup\_RegDLL.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
2 C:\Users\Asrock\AppData\Local\Temp\is-2KAM4.tmp\_isetup\_setup64.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
3 C:\Users\Asrock\AppData\Local\Temp\is-2KAM4.tmp\_isetup\_shfoldr.dll
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
4 C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.in2
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
1 C:\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
Read by \Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
1 C:\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp
Dropped by \Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
Read by \Device\HarddiskVolume8\Program Files\ESET\ESET Security\ekrn.exe [2044]
\Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
1 C:\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe
Dropped by \Device\HarddiskVolume8\Program Files\WinRAR\WinRAR.exe [15724]
Read by \Device\HarddiskVolume8\Windows\System32\svchost.exe [8916]
\Device\HarddiskVolume8\Program Files\ESET\ESET Security\ekrn.exe [2044]
\Device\HarddiskVolume8\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1084]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [1092]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\Rar$EXa15724.9494\hdsentinel_pro_setup.exe [16512]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-C8HO4.tmp\hdsentinel_pro_setup.tmp [14196]
\Device\HarddiskVolume8\Users\Asrock\AppData\Local\Temp\is-H119M.tmp\hdsentinel_pro_setup.tmp [17120]
1 C:\Users\Asrock\AppData\Local\Temp\Asrock.bmp
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
2 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_2560_1440_POS0.jpg
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
3 C:\Users\Asrock\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000507.db
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
4 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
5 C:\Users\Asrock\AppData\Local\Temp\{E4268DC8-C2FF-4144-A59A-71FD3C888C78}.png
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
Read by \Device\HarddiskVolume8\Windows\System32\svchost.exe [6224]
6 C:\Users\Asrock\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{09A47DFD-8F23-1120-00AA-180DAEE30122}.png
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]
7 C:\Users\Asrock\AppData\Roaming\Microsoft\Windows\Recent\hdsentinel_pro_setup.zip.lnk
Dropped by \Device\HarddiskVolume8\Windows\explorer.exe [8552]

Thumbprints
433d7d7141c312f42b95d52d17144245d924ae1de72a0ecc2149af2703d7383e

Krusty · Mar 18, 2022

Version 3.8.20 Build 937 just installed.

SpywareBlaster not opening = fixed!

Thanks Guys!

TheBear · Mar 18, 2022

Krusty said: ↑

Version 3.8.20 Build 937 just installed.

SpywareBlaster not opening = fixed!

Thanks Guys!
Click to expand...

Version 3.8.20 Build 937 just installed.
Did not fix "Virtual Box Error on opening". I had to Exclude several more Virtual Box files to get rid of the error

Krusty · Mar 18, 2022

I just got this while opening TOR:

Mitigation SysCall
Timestamp 2022-03-19T01:46:04

Platform 10.0.19044/x64 v937 06_5e
PID 6248
Feature 007D1B345FBFB0B2
Application C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe
Created 2000-01-01T00:00:00
Description Tor Browser 91.7

SecLvl: 1
Direct Syscall originating from: 0000020839DD0274
*** RemoteAllocator ***
remoteOwnerProcessName: C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe
remoteOwnerModuleName: C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe
remoteOwnerPID: 13644
remoteOwnerProcess is not signed
remoteOwnerModule is not signed

0x0000020839DD0274 c3 RET

----- SNIP HERE -----
AAICAQAA3TkIAgAAdALdOQgCAAAAAN05CAIAAAAQAABgAwIGACADAgYAaICdPv1/AgIADAIDAPd/AgIATIvRuFUCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDMCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuD0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuEYBAgIA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bgnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bguAQICAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4KAECAgD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuA0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCQCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDACAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuC8CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgUA
----- END SNIP -----

Loaded Modules (33)
-----------------------------------------------------------------------------
00007FF713590000-00007FF71372B000 firefox.exe (Mozilla Corporation),
version: 91.7.0
00007FFD60040000-00007FFD6015A000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.937
00007FFD3E9D0000-00007FFD3EB34000 mozglue.dll (Mozilla Foundation),
version: 91.7.0
00007FFD5FF10000-00007FFD5FFD0000 0patchLoaderX64.dll (Acros Security),
version: 21.05.05.10500
- MS skipped (29) -

Code Injection
0000020839DD0000-0000020839DD1000 4KB C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
00007FFD62BCD000-00007FFD62BCE000 4KB
00007FFD62BCF000-00007FFD62BD0000 4KB
00007FFD62BCC000-00007FFD62BCD000 4KB
1 C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
2 C:\Windows\explorer.exe [1256]

Process Trace
1 C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe [6248]
"C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="13644.1.1857556344\1161297057" -childID 1 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 585 -prefMapSize 247773 -jsInit 1708 285716 -parentBuildID 202206020801
2 C:\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
3 C:\Windows\explorer.exe [1256]

Dropped Files
1 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\parent.writetest
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
2 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\Caches\profile.default\.startup-incomplete
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
3 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\cookies.sqlite-shm
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
4 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\cookies.sqlite-wal
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
5 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
6 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
7 C:\Users\David\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
Dropped by \Device\HarddiskVolume4\Users\David\Desktop\Tor Browser\Browser\firefox.exe [13644]
1 C:\Users\David\AppData\Local\Microsoft\Windows\INetCache\IE\H1FRBL1N\NowcastInfoV2[1].svg
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [1256]
Read by \Device\HarddiskVolume4\Windows\explorer.exe [1256]
2 C:\Users\David\AppData\Local\Microsoft\Windows\INetCache\IE\H1FRBL1N\AAehLNN[1].svg
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [1256]
Read by \Device\HarddiskVolume4\Windows\explorer.exe [1256]

Thumbprints
10d79034263b778cf391713a27819485ce56a7ed4819f01f5bca709d18982b51 (pfn)

deugniet · Mar 19, 2022

Auto-updated to build 937. Removed the Suppressed-action for Sandboxie Plus and no Hollow Process Mitigation anymore.

Edit: On a second machine with build 937 a Hollow Process Mitigation using Sandboxie Plus (not suppressed assuming build 937 solved this). Does removing the Suppressed-action really remove the suppression (see first machine)?

Log in or Sign up

HitmanPro.Alert BETA

Krusty Registered Member

RonnyT QA Engineer

Krusty Registered Member

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

deugniet Registered Member

deugniet Registered Member

paulderdash Registered Member

RonnyT QA Engineer

RonnyT QA Engineer

RonnyT QA Engineer

deugniet Registered Member

Valdez Registered Member

Attached Files:

01.png

02.png

03.png

BoerenkoolMetWorst Registered Member

feerf56 Registered Member

feerf56 Registered Member

Krusty Registered Member

TheBear Registered Member

Krusty Registered Member

deugniet Registered Member

Log in or Sign up

HitmanPro.Alert BETA

Krusty Registered Member

RonnyT QA Engineer

Krusty Registered Member

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

RonnyT QA Engineer

TheBear Registered Member

deugniet Registered Member

deugniet Registered Member

paulderdash Registered Member

RonnyT QA Engineer

RonnyT QA Engineer

RonnyT QA Engineer

deugniet Registered Member

Valdez Registered Member

Attached Files:

01.png

02.png

03.png

BoerenkoolMetWorst Registered Member

feerf56 Registered Member

feerf56 Registered Member

Krusty Registered Member

TheBear Registered Member

Krusty Registered Member

deugniet Registered Member

Useful Searches