HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    I have my Steam installed on a seperate SSD mounted as E:
    But note, my Steam is not protected. I'm willing to test though.
     
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    350
    Location:
    Planet Earth
    If you could that would be great (just for the test would be enough).
     
  3. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    I added Steam as a protected app (mitigation template "other") and it runs.

    upload_2020-8-10_21-3-2.png

    Steam version:
    upload_2020-8-10_21-3-38.png

    Ran some game and it gives a Lockdown:

    Code:
    Mitigation   Lockdown
    Timestamp    2020-08-10T19:06:48
    
    Platform     10.0.18363/x64 v875 06_5e
    PID          14624
    WoW          x86
    Feature      003D1A361FBF0136
    Application  E:\Steam\steam.exe
    Created      2020-07-31T22:36:27
    Description  Steam Client Bootstrapper 1.0
    
    Filename     E:\Steam\steamapps\common\Autobahn Police Simulator\highwaypatrol2015.exe
    Created By   E:\Steam\steam.exe
    
    Command line:
    "E:\Steam\steamapps\common\Autobahn Police Simulator\highwaypatrol2015.exe"
    
    Loaded Modules (145)
    -----------------------------------------------------------------------------
    005D0000-0096A000 Steam.exe (Valve Corporation),
                      version: 06.02.31.42
    74BF0000-74CED000 hmpalert.dll (SurfRight B.V.),
                      version: 3.8.6.875
    763F0000-763FD000 UMPDC.dll (),
                      version:
    68480000-68508000 a2hooks32.dll (Emsisoft Ltd),
                      version: 2019.02.0.1903
    5FE30000-5FEDD000 crashhandler.dll (Valve Corporation),
                      version: 06.02.31.42
    5E070000-5EC4E000 steamui.dll (Valve Corporation),
                      version: 06.02.31.42
    5FD30000-5FE23000 SDL2.dll (0FileDescription),
                      version: 2, 0, 13, 0
    5FC90000-5FD2C000 tier0_s.dll (Valve Corporation),
                      version: 06.02.31.42
    5DBA0000-5E063000 v8.dll (),
                      version:
    5EFD0000-5F2FA000 video.dll (),
                      version:
    5FC30000-5FC8F000 vstdlib_s.dll (Valve Corporation),
                      version: 06.02.31.42
    5DA10000-5DB91000 icui18n.dll (),
                      version:
    5D8E0000-5DA09000 icuuc.dll (),
                      version:
    5D230000-5D8DB000 libavcodec-57.dll (),
                      version:
    5D160000-5D22A000 libavformat-57.dll (),
                      version:
    5FBD0000-5FC2A000 libavresample-3.dll (),
                      version:
    5D070000-5D15A000 libavutil-55.dll (),
                      version:
    5CFA0000-5D06D000 libswscale-4.dll (),
                      version:
    5F960000-5F992000 filesystem_stdio.DLL (Valve Corporation),
                      version: 06.02.31.42
    5CEC0000-5CF9B000 vgui2_s.DLL (Valve Corporation),
                      version: 06.02.31.42
    5CDB0000-5CEB7000 chromehtml.DLL (),
                      version:
    5BA50000-5C9DC000 steamclient.dll (Valve Corporation),
                      version: 06.02.31.42
    70620000-70655000 eppcom32.dll (Emsisoft Ltd),
                      version: 2018.12.0.1641
    5B900000-5B944000 openvr_api.dll (),
                      version:
    5AE40000-5B25D000 friendsui.DLL (Valve Corporation),
                      version: 06.02.31.42
    5AC60000-5AE34000 serverbrowser.DLL (Valve Corporation),
                      version: 06.02.31.42
    - MS skipped (119) -
    
    Process Trace
    1  E:\Steam\steam.exe [14624] 2020-08-10T19:01:16
    2  C:\Windows\explorer.exe [7436] 2020-08-10T18:27:32
    3  C:\Windows\System32\userinit.exe [6324] 2020-08-10T18:27:28 30.8s
    4  C:\Windows\System32\winlogon.exe [1008] 2020-08-10T18:27:24
       winlogon.exe
    5  C:\Windows\System32\smss.exe [780] 2020-08-10T18:27:24 324ms
       \SystemRoot\System32\smss.exe 000000d8 00000084
    6  C:\Windows\System32\smss.exe [452] 2020-08-10T18:27:19
       \SystemRoot\System32\smss.exe
    
    Dropped Files
    1  E:\Steam\config\config.vdf.async14624.tmp
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    2  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\StreamingAssets\hungarian.txt
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    3  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\sharedassets3.assets
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    4  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\sharedassets53.assets
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    5  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\sharedassets50.assets
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    6  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\StreamingAssets\french.txt
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    7  E:\Steam\steamapps\downloading\348510\highwaypatrol2015_Data\sharedassets8.assets
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    8  E:\Steam\steamapps\appmanifest_348510.acf
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    9  E:\Steam\userdata\116205874\config\librarycache\348510.json
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    10 E:\Steam\appcache\httpcache\fd\fd9b5787088b50bac8f306c7f9daabc6ffe975a3_da39a3ee5e6b4b0d3255bfef95601890afd80709
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    11 E:\Steam\steamapps\workshop\appworkshop_241100.acf.async14624.tmp
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    12 E:\Steam\userdata\116205874\config\localconfig.vdf.async14624.tmp
         Dropped by \Device\HarddiskVolume2\Steam\steam.exe [14624]
    1  C:\Users\Richard\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000379.db
         Dropped by \Device\HarddiskVolume7\Windows\explorer.exe [7436]
    
    Thumbprints
    cce8cf160b104c291e123002ac8a821fe8d3f2425e16066ddd5f7f1d5be9dacd
     
  4. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    350
    Location:
    Planet Earth
    Does a reboot fix the lockdown?
     
  5. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    Yes, that fixed it. Really one of the worst games a played in years, quickly uninstalled it :D
    Pro Evolution Soccer 2020 started without a problem with the mitigations enabled.
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    350
    Location:
    Planet Earth
    That was already on the machine I guess, the new introduced code isn't allowed to run because of Application lockdown in this case.
     
  7. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    True, I just installed that game to test.
     
  8. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    350
    Location:
    Planet Earth
    Thanks for testing, so it doesn't seem to be the "just an other drive" issue.
     
  9. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    197
    Location:
    Canada
    I was side-loading epubs from my PC to a Kobo using Calibre, and received the following CryptoGuard alert. I suppressed the alert in order to complete the transfers. A scan of the installation file in VirusTotal was clean.

    Code:
    CryptoGuard | calibre.exe
    
    C:\Program Files (x86)\Calibre2\calibre.exe
    
    The application has accessed and encrypted multiple productivity files (documents, photos and similar file types). This is indicative of a crypto-ransomware attack. The manipulated files were restored to their original state.
    
    MITRE ATT&CK
    
    Data Destruction - ID: T1485, Tactic: Impact
    Data Encrypted for Impact - ID: T1486, Tactic: Impact
    
    Details
    
    Mitigation   CryptoGuard
    Timestamp    2020-08-31T13:30:44
    
    Platform     10.0.18363/x64 v875 06_2a
    PID          5908
    WoW          x86
    Application  C:\Program Files (x86)\Calibre2\calibre.exe
    Created      2020-08-31T00:04:47
    Description  calibre.exe
    
    Filename     C:\Program Files (x86)\Calibre2\calibre.exe
    
    Detection    Generic.Ransom.X
    
     1*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00032.otf
       Overwritten L0, Write T48640 H32768|^135658 #1,2
    
     2*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00032.otf
       Opened L48416, Read T48640|100% H32768|^118773 #2,1
    
     3*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00022.otf
       Overwritten L0, Write T48640 H32768|^40220 #3,4
    
     4*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00022.otf
       Opened L48564, Read T48640|100% H32768|^38695 #4,3
    
     5*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00001.otf
       Overwritten L0, Write T2047488 H32768|^1723053 #5,6
    
     6*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00001.otf
       Opened L2047320, Read T2047488|100% H32768|^1637899 #6,5
    
     7*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00018.otf
       Overwritten L0, Write T67584 H32768|^780621 #7,8
    
     8*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00018.otf
       Opened L67336, Read T67584|100% H32768|^742071 #8,7
    
     9*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00012.otf
       Overwritten L0, Write T68608 H32768|^855479 #9,10
    
    10*D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00012.otf
       Opened L68456, Read T68608|100% H32768|^813451 #10,9
    
    11 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\META-INF\encryption.xml
       Opened L12664, Read T12800|100% H12664|^563942 #11
    
    12 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\content.opf
       Opened L14859, Read T15360|100% H14859|^140577 #12
    
    13 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\META-INF\container.xml
       Opened L244, Read T512|100% H244|^2579 #13
    
    14 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\mimetype
       Opened, Deleted L20 #14
    
    15 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\toc.ncx
       Created L0, Write T9216 H9023|^129614 #15
    
    16 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\mimetype
       Created L0, Write T512 H20|^532 #16
    
    
    
    Loaded Modules (182)
    -----------------------------------------------------------------------------
    00F00000-00F13000 calibre.exe (-),
                      Version: 4.23.0.0
    77320000-774BA000 ntdll.dll (Microsoft Corporation),
                      Version: 10.0.18362.815
    760B0000-76190000 KERNEL32.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    74440000-7453D000 hmpalert.dll (SurfRight B.V.),
                      Version: 3.8.6.875
    762B0000-764AE000 KERNELBASE.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    75130000-752C8000 USER32.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    75D60000-75D77000 win32u.dll (Microsoft Corporation),
                      Version: 10.0.18362.1016
    75970000-75991000 GDI32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    75EB0000-7600B000 gdi32full.dll (Microsoft Corporation),
                      Version: 10.0.18362.1016
    76560000-765DC000 msvcp_win.dll (Microsoft Corporation),
                      Version: 10.0.18362.815
    75850000-7596F000 ucrtbase.dll (Microsoft Corporation),
                      Version: 10.0.18362.815
    764B0000-764D5000 IMM32.DLL (Microsoft Corporation),
                      Version: 10.0.18362.387
    749A0000-74A5A000 guard32.dll (COMODO),
                      Version: 12.2.2.7032
    759C0000-75A39000 ADVAPI32.dll (Microsoft Corporation),
                      Version: 10.0.18362.752
    76FD0000-7708F000 msvcrt.dll (Microsoft Corporation),
                      Version: 7.0.18362.1
    764E0000-76556000 sechost.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    761F0000-762AB000 RPCRT4.dll (Microsoft Corporation),
                      Version: 10.0.18362.628
    74AF0000-74B10000 SspiCli.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74AE0000-74AEA000 CRYPTBASE.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    76020000-7607F000 bcryptPrimitives.dll (Microsoft Corporation),
                      Version: 10.0.18362.836
    74990000-74998000 version.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    77090000-77187000 ole32.dll (Microsoft Corporation),
                      Version: 10.0.18362.693
    765E0000-76855000 combase.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    74AD0000-74AD8000 fltlib.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    752D0000-7584A000 shell32.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    75E60000-75E9B000 cfgmgr32.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    76EB0000-76F34000 shcore.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    74B10000-750D3000 windows.storage.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    76080000-7609B000 profapi.dll (Microsoft Corporation),
                      Version: 10.0.18362.693
    76E50000-76E93000 powrprof.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    75EA0000-75EAD000 UMPDC.dll (-),
                      Version: -.-.-.-
    750E0000-75124000 shlwapi.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    76860000-7686F000 kernel.appcore.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    76FB0000-76FC3000 cryptsp.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    530A0000-530B3000 calibre-launcher.dll (-),
                      Version: 4.23.0.0
    53080000-53093000 VCRUNTIME140.dll (Microsoft Corporation),
                      Version: 14.16.27033.0
    52DB0000-53074000 python27.dll (Python Software Foundation),
                      Version: 2.7.16150.1013
    74890000-748BF000 rsaenh.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    772F0000-77309000 bcrypt.dll (Microsoft Corporation),
                      Version: 10.0.18362.267
    52C80000-52DA6000 _hashlib.pyd (-),
                      Version: -.-.-.-
    52C60000-52C7C000 _ctypes.pyd (-),
                      Version: -.-.-.-
    75C60000-75CF2000 OLEAUT32.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    52C50000-52C58000 win32event.pyd (-),
                      Version: -.-.-.-
    52C30000-52C4F000 pywintypes27.dll (-),
                      Version: -.-.-.-
    52C10000-52C2D000 win32api.pyd (-),
                      Version: -.-.-.-
    74280000-7428A000 secur32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    52C00000-52C09000 winutil.pyd (-),
                      Version: -.-.-.-
    715B0000-71A0B000 WININET.dll (Microsoft Corporation),
                      Version: 11.0.18362.753
    52BF0000-52BF6000 monotonic.pyd (-),
                      Version: -.-.-.-
    52BE0000-52BF0000 speedup.pyd (-),
                      Version: -.-.-.-
    52BB0000-52BD1000 win32file.pyd (-),
                      Version: -.-.-.-
    75D00000-75D5E000 WS2_32.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    74600000-74652000 MSWSOCK.dll (Microsoft Corporation),
                      Version: 10.0.18362.815
    00EF0000-00EF3000 sfc.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74290000-7429F000 sfc_os.DLL (Microsoft Corporation),
                      Version: 10.0.18362.1
    52B90000-52BAD000 msgpack._cmsgpack.pyd (-),
                      Version: -.-.-.-
    52B80000-52B8A000 icu.pyd (-),
                      Version: -.-.-.-
    03B50000-03D65000 icuin64.dll (The ICU Project),
                      Version: 64.2.0.0
    52A20000-52B72000 icuuc64.dll (The ICU Project),
                      Version: 64.2.0.0
    529B0000-52A1F000 MSVCP140.dll (Microsoft Corporation),
                      Version: 14.16.27033.0
    03D70000-057B4000 icudt64.dll (The ICU Project),
                      Version: 64.2.0.0
    529A0000-529A6000 pyqt5.Qt.pyd (-),
                      Version: -.-.-.-
    52800000-52998000 pyqt5.QtCore.pyd (-),
                      Version: -.-.-.-
    52340000-527F3000 Qt5Core.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    74AB0000-74AC8000 MPR.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74970000-7498E000 USERENV.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    52320000-52336000 zlib1.dll (-),
                      Version: 1.2.11.0
    74A90000-74AA3000 NETAPI32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74360000-74384000 WINMM.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74330000-74353000 WINMMBASE.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74A70000-74A8C000 SRVCLI.DLL (Microsoft Corporation),
                      Version: 10.0.18362.1
    74A60000-74A6B000 NETUTILS.DLL (Microsoft Corporation),
                      Version: 10.0.18362.1
    52300000-5231A000 pyqt5.sip.pyd (-),
                      Version: -.-.-.-
    52150000-522F4000 pyqt5.QtGui.pyd (-),
                      Version: -.-.-.-
    51BC0000-52141000 Qt5Gui.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    6E860000-6EA3E000 d3d11.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    6E790000-6E851000 dxgi.dll (Microsoft Corporation),
                      Version: 10.0.18362.815
    72B40000-72B59000 dxcore.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    51B40000-51BB7000 pyqt5.QtNetwork.pyd (-),
                      Version: -.-.-.-
    51A20000-51B33000 Qt5Network.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    76900000-769FB000 CRYPT32.dll (Microsoft Corporation),
                      Version: 10.0.18362.592
    760A0000-760AE000 MSASN1.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74550000-745E4000 DNSAPI.dll (Microsoft Corporation),
                      Version: 10.0.18362.1016
    76010000-76017000 NSI.dll (Microsoft Corporation),
                      Version: 10.0.18362.449
    748C0000-748F2000 IPHLPAPI.DLL (Microsoft Corporation),
                      Version: 10.0.18362.1
    519F0000-51A1C000 pyqt5.QtSensors.pyd (-),
                      Version: -.-.-.-
    519C0000-519EB000 Qt5Sensors.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    51690000-519BB000 pyqt5.QtWidgets.pyd (-),
                      Version: -.-.-.-
    51220000-5168C000 Qt5Widgets.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    74390000-7440A000 UxTheme.dll (Microsoft Corporation),
                      Version: 10.0.18362.449
    74410000-74435000 dwmapi.dll (Microsoft Corporation),
                      Version: 10.0.18362.267
    511F0000-5121C000 pyqt5.QtPrintSupport.pyd (-),
                      Version: -.-.-.-
    511A0000-511E6000 Qt5PrintSupport.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    75A40000-75AF0000 COMDLG32.dll (Microsoft Corporation),
                      Version: 10.0.18362.900
    73D80000-73DEB000 WINSPOOL.DRV (Microsoft Corporation),
                      Version: 10.0.18362.693
    726F0000-7277D000 COMCTL32.dll (Microsoft Corporation),
                      Version: 5.82.18362.1016
    72780000-72846000 PROPSYS.dll (Microsoft Corporation),
                      Version: 7.0.18362.815
    51180000-51196000 pyqt5.QtSvg.pyd (-),
                      Version: -.-.-.-
    51130000-51174000 Qt5Svg.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    51110000-51125000 pyqt5.QtWinExtras.pyd (-),
                      Version: -.-.-.-
    51080000-51102000 Qt5WinExtras.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    51070000-51079000 pyqt5.QtWebChannel.pyd (-),
                      Version: -.-.-.-
    51050000-5106C000 Qt5WebChannel.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50D30000-51049000 Qt5Qml.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50D20000-50D2E000 _socket.pyd (-),
                      Version: -.-.-.-
    50BA0000-50D1B000 _ssl.pyd (-),
                      Version: -.-.-.-
    50A50000-50B99000 apsw.pyd (-),
                      Version: -.-.-.-
    50A30000-50A45000 bz2.pyd (-),
                      Version: -.-.-.-
    50A10000-50A23000 progress_indicator.pyd (),
                      Version: 4.23.0.0
    50960000-50A0A000 qwindows.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    74830000-7483F000 WTSAPI32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    64670000-647FE000 d3d9.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    77190000-771D6000 WINTRUST.DLL (Microsoft Corporation),
                      Version: 10.0.18362.387
    759A0000-759BB000 imagehlp.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    50860000-5095F000 opengl32.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    50820000-5085F000 GLU32.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    771E0000-772E3000 MSCTF.dll (Microsoft Corporation),
                      Version: 10.0.18362.900
    79910000-7B42E000 nvoglv32.dll (NVIDIA Corporation),
                      Version: 23.21.13.9135
    76A00000-76E49000 SETUPAPI.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74300000-74323000 DEVOBJ.dll (Microsoft Corporation),
                      Version: 10.0.18362.387
    72E30000-72E59000 ntmarta.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    747E0000-74824000 WINSTA.dll (Microsoft Corporation),
                      Version: 10.0.18362.836
    507F0000-50813000 qwindowsvistastyle.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    6AD60000-6AFE0000 dwrite.dll (Microsoft Corporation),
                      Version: 10.0.18362.1016
    507E0000-507EB000 qgif.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    507D0000-507DD000 qicns.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    507C0000-507CB000 qico.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50760000-507BA000 qjpeg.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50750000-50759000 qsvg.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50740000-50749000 qtga.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    506E0000-50738000 qtiff.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    506D0000-506D9000 qwbmp.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50650000-506C3000 qwebp.dll (The Qt Company Ltd.),
                      Version: 5.14.1.0
    50640000-5064A000 _multiprocessing.pyd (-),
                      Version: -.-.-.-
    50590000-5063A000 unicodedata.pyd (-),
                      Version: -.-.-.-
    50580000-5058D000 win32process.pyd (-),
                      Version: -.-.-.-
    76FA0000-76FA6000 Psapi.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    50560000-50573000 imageops.pyd (),
                      Version: 4.23.0.0
    503F0000-50560000 lxml.etree.pyd (-),
                      Version: -.-.-.-
    503C0000-503EF000 libxslt.dll (-),
                      Version: -.-.-.-
    503A0000-503B2000 libexslt.dll (-),
                      Version: -.-.-.-
    50290000-50398000 libxml2.dll (-),
                      Version: 2.9.9.0
    737A0000-737A8000 WSOCK32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    50260000-50285000 lxml._elementpath.pyd (-),
                      Version: -.-.-.-
    50250000-50256000 select.pyd (-),
                      Version: -.-.-.-
    50240000-50246000 cPalmdoc.pyd (-),
                      Version: -.-.-.-
    50220000-50234000 lxml.builder.pyd (-),
                      Version: -.-.-.-
    50210000-50217000 tokenizer.pyd (-),
                      Version: -.-.-.-
    501B0000-5020B000 html5_parser.html_parser.pyd (-),
                      Version: -.-.-.-
    50190000-501A7000 pictureflow.pyd (),
                      Version: 4.23.0.0
    50160000-50188000 _elementtree.pyd (-),
                      Version: -.-.-.-
    50130000-50158000 pyexpat.pyd (-),
                      Version: -.-.-.-
    50100000-5012D000 win32gui.pyd (-),
                      Version: -.-.-.-
    73DF0000-73DF6000 msimg32.dll (Microsoft Corporation),
                      Version: 10.0.18362.1016
    50090000-500FC000 regex._regex.pyd (-),
                      Version: -.-.-.-
    50080000-5008C000 wpd.pyd (-),
                      Version: -.-.-.-
    75DE0000-75E60000 clbcatq.dll (Microsoft Corporation),
                      Version: 2001.12.10941.16384
    77F70000-77FF3000 PortableDeviceApi.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    6D1F0000-6D200000 wkscli.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    6D190000-6D1C1000 dataexchange.dll (Microsoft Corporation),
                      Version: 10.0.18362.836
    6D020000-6D18A000 dcomp.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    6DC30000-6DE15000 twinapi.appcore.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    6DC10000-6DC2F000 RMCLIENT.dll (Microsoft Corporation),
                      Version: 10.0.18362.267
    50070000-50077000 netifaces.pyd (-),
                      Version: -.-.-.-
    74700000-74713000 dhcpcsvc6.DLL (Microsoft Corporation),
                      Version: 10.0.18362.815
    746E0000-746F5000 dhcpcsvc.DLL (Microsoft Corporation),
                      Version: 10.0.18362.815
    740C0000-740C7000 wshqos.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74210000-74217000 wshtcpip.DLL (Microsoft Corporation),
                      Version: 10.0.18362.1
    74190000-74197000 wship6.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    74540000-74548000 rasadhlp.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    72C60000-72CB1000 fwpuclnt.dll (Microsoft Corporation),
                      Version: 10.0.18362.113
    5E040000-5E0C4000 TextInputFramework.dll (Microsoft Corporation),
                      Version: 10.0.18362.207
    5DDE0000-5E03E000 CoreUIComponents.dll (Microsoft Corporation),
                      Version: 10.0.18362.207
    5DD50000-5DDD9000 CoreMessaging.dll (Microsoft Corporation),
                      Version: 10.0.18362.836
    6E0A0000-6E17A000 wintypes.dll (Microsoft Corporation),
                      Version: 10.0.18362.997
    73160000-73389000 iertutil.dll (Microsoft Corporation),
                      Version: 11.0.18362.815
    50040000-50067000 PortableDeviceTypes.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    73E70000-73F0F000 apphelp.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    50020000-50029000 win32pipe.pyd (-),
                      Version: -.-.-.-
    6CF20000-6CF3B000 edputil.dll (Microsoft Corporation),
                      Version: 10.0.18362.1
    73580000-7378F000 comctl32.dll (Microsoft Corporation),
                      Version: 6.10.18362.1016
    6BA00000-6BB69000 WindowsCodecs.dll (Microsoft Corporation),
                      Version: 10.0.18362.959
    
    Process Trace
    1  C:\Program Files (x86)\Calibre2\calibre.exe [5908] 2020-08-31T00:17:13
    2  C:\Program Files (x86)\Calibre2\calibre.exe [5152] 2020-08-31T00:04:53 12m 21s
    3  C:\Windows\SysWOW64\msiexec.exe [7864] 2020-08-31T00:04:53 1.7s
       C:\Windows\syswow64\MsiExec.exe -Embedding 6A459A70BC2FEDE64EDF0F50D27707F7 C
    4  C:\Windows\System32\msiexec.exe [9960] 2020-08-31T00:04:26 5m 28s
    5  C:\Windows\System32\services.exe [868] 2020-08-30T18:31:17
    6  C:\Windows\System32\wininit.exe [796] 2020-08-30T18:31:17
       wininit.exe
    7  C:\Windows\System32\smss.exe [584] 2020-08-30T18:31:12 5.1s
       \SystemRoot\System32\smss.exe 000000c8 00000084
    8  C:\Windows\System32\smss.exe [500] 2020-08-30T18:31:10
       \SystemRoot\System32\smss.exe
    
    Dropped Files
    1  D:\TMP\calibre_qpdowe\xyfxew_epub_container\OEBPS\9781632172143.opf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    2  D:\TMP\calibre_qpdowe\xyfxew_epub_container\mimetype
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    3  D:\TMP\calibre_qpdowe\olzal9caltmpfmt.epub
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    4  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\META-INF\calibre_bookmarks.txt
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    5  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\META-INF\encryption.xml
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    6  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\META-INF\container.xml
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    7  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0000.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    8  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0001.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    9  D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0002.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    10 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0003.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    11 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0004.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    12 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0005.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    13 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0006.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    14 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0007.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    15 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0008.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    16 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0009.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    17 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0010.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    18 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0011.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    19 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0012.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    20 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0013.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    21 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0014.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    22 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0015.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    23 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0016.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    24 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0017.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    25 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0018.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    26 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0019.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    27 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0020.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    28 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0021.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    29 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0022.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    30 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0023.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    31 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0024.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    32 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0025.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    33 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0026.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    34 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0027.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    35 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0028.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    36 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0029.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    37 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0030.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    38 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0031.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    39 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0032.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    40 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0033.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    41 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0034.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    42 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0035.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    43 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0036.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    44 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\text\part0037.html
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    45 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00040.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    46 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00042.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    47 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00043.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    48 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00044.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    49 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00045.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    50 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00046.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    51 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00047.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    52 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00048.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    53 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00049.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    54 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00050.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    55 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00051.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    56 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00052.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    57 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00053.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    58 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00054.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    59 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00055.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    60 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00056.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    61 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00057.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    62 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00058.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    63 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00059.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    64 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00060.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    65 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00061.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    66 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00062.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    67 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00063.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    68 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00064.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    69 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00065.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    70 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00066.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    71 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00067.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    72 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00068.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    73 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00069.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    74 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00070.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    75 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00071.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    76 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\images\00072.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    77 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00001.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    78 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00002.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    79 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00003.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    80 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00004.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    81 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00005.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    82 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00006.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    83 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00007.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    84 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00008.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    85 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00009.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    86 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00010.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    87 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00011.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    88 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00012.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    89 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00013.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    90 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00014.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    91 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00015.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    92 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00016.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    93 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00017.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    94 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00018.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    95 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00019.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    96 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00020.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    97 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00021.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    98 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00022.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    99 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00023.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    100 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00024.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    101 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00025.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    102 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00026.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    103 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00027.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    104 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00028.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    105 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00029.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    106 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00030.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    107 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00031.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    108 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00032.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    109 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00033.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    110 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00034.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    111 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00035.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    112 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00036.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    113 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00037.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    114 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00038.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    115 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\fonts\00039.otf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    116 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\page_styles.css
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    117 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\titlepage.xhtml
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    118 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\stylesheet.css
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    119 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\content.opf
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
            Read by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    120 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\cover.jpeg
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    121 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\mimetype
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    122 D:\TMP\calibre_qpdowe\pl3fbc_epub_container\toc.ncx
         Dropped by \Device\HarddiskVolume2\Program Files (x86)\Calibre2\calibre.exe [5908]
    
    Thumbprints
    7dc5e2d57f2387ca48bb78afda09286d3ac42efdca115fdb6e243059a49c85bf
    
     
  10. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    350
    Location:
    Planet Earth
    Thanks, we'll look it to that!
     
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3.8.8 Build 887 Release Candidate

    Changes (compared to build 875)
    Fixed:
    • CodeCave: coding error that could cause certain rare applications to crash
    • CodeCave: False alarms when application is packed with boxedApp packer
    • ACPProtection: False alarms when application is packed with boxedApp packer
    • ApiSetGuard: False alarms on a standard DLLMain implementation that does nothing but returning 0 or 1
    • CryptoGuard 5: False alarm in combination with Dropbox
    • CryptoGuard 5: False alarm when deleting many files on and endpoint protected by Bitdefender’s CryptoStore feature
    • HeapHeapProtect: Applications under attack could crash when the used shellcode caused an unaligned stack
    • Crash in Equation Editor when under attack, caused by Data Execution Prevention (DEP)
    • Italian string in Systray context menu
    Improved:
    • Alert report now includes a list of services if a process runs as a service
    • CryptoGuard-only now also enables anti-malware
    • GUI: Added anti-malware menu item to settings menu
    • GUI: EULA on install dialog
    • Windows on ARM: Now offloads SHA-256 calculation to hardware via NEON instructions, resulting in 7 times performance boost
    • Windows on ARM: Fixed last scan timestamp
    • AmsiGuard: Now supports unloading of AMSI.DLL
    • ApplicationLockdown: Prevent execution of an Visual Basic file via EXPLORER.EXE from an Office application
    • CredGuardSAM: Prevent registry command line tool from dumping credentials
    • WipeGuard: Volume Boot Record (VBR) protection and alert details
    • Minifilter driver altitude, lowered from 345800 to 221600, to prevent third party minifilters from adversely affecting ransomware detection
    Added:
    • HeapHeapProtect: Code running in dynamic memory, in RUNDLL32.EXE and REGSVR32.EXE, can no longer manipulate other dynamic memory. This proactively helps against many backdoor tools, trojans and ransomware families.
    • Tamper Protection by filtering process and thread handles against terminate, suspend and injection. Also added menu item to settings menu.
    • Automatic protection of Microsoft Access against exploitation
    • DLL Hijacking protection on HitmanPro malware scanner to prevent privilege escalation
    Download
    https://dl.surfright.nl/hmpalert3b887.exe

    Please let us know how this build runs on your machine. Thanks! :thumb:
     
    Last edited: Nov 20, 2020
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Installed without issue here so far. :thumb:

    Nice to see you popping in here again, Mark.
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    I'm not sure if this is a false positive or not.
    Code:
    Mitigation   APCViolation
    Timestamp    2020-11-20T21:53:52
    
    Platform     10.0.19042/x64 v887 06_25
    PID          7568
    Feature      003D0A30000001A2
    Application  C:\Program Files\Windows Sidebar\sidebar.exe
    Created      2019-11-11T04:33:41
    Description  Windows Desktop Gadgets 1.0
    
    APC intercepted:
    Owner of APC-func: <-UNKNOWN->
    000001B744380000  4883ec38                 SUB          RSP, 0x38
    000001B744380004  4889c8                   MOV          RAX, RCX
    000001B744380007  664489442420             MOV          [RSP+0x20], R8W
    000001B74438000D  664489442422             MOV          [RSP+0x22], R8W
    000001B744380013  4c8d4c2440               LEA          R9, [RSP+0x40]
    000001B744380018  4889542428               MOV          [RSP+0x28], RDX
    000001B74438001D  4c8d442420               LEA          R8, [RSP+0x20]
    000001B744380022  31d2                     XOR          EDX, EDX
    000001B744380024  31c9                     XOR          ECX, ECX
    000001B744380026  ffd0                     CALL         RAX
    000001B744380028  4883c438                 ADD          RSP, 0x38
    000001B74438002C  c20000                   RET          0x0
    000001B74438002F  43003a                   ADD          [R10], DIL
    000001B744380032  005c0050                 ADD          [RAX+RAX+0x50], BL
    000001B744380036  007200                   ADD          [RDX+0x0], DH
    000001B744380039  6f                       OUTS         DX, DWORD [RSI]
    
    ----- SNIP HERE -----
    AAIBAQAAOES3AQAAAAA4RLcBAAAAADhEtwEAAAAQAABIg+w4SInIZkSJRCQgZkSJRCQiTI1MJEBIiVQkKEyNRCQgMdIxyf/QSIPEOMIBAgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACAAKAB4ADgANgApAFwAVwBpAHMAZQBWAGUAYwB0AG8AcgBcAFcAaQBzAGUAVgBlAGMAdABvAHIASABlAGwAcABlAHIATwBuAGUAXwBYADYANAAuAGQAbABsAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAVgA
    ----- END SNIP -----
    
    Loaded Modules (41)
    -----------------------------------------------------------------------------
    00007FF791D30000-00007FF791E84000 sidebar.exe (Microsoft Corporation),
                                      version: 6.2.8400.0 (winmain_win8rc.120518-1423)
    00007FF9C5010000-00007FF9C5206000 ntdll.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9C2500000-00007FF9C25FF000 hmpalert.dll (SurfRight B.V.),
                                      version: 3.8.8.887
    00007FF9C4150000-00007FF9C420D000 KERNEL32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C2840000-00007FF9C2B08000 KERNELBASE.dll (Microsoft Corporation),
                                      version: 10.0.19041.572 (WinBuild.160101.0800)
    00007FF9C4E60000-00007FF9C4F0C000 ADVAPI32.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9C3260000-00007FF9C32FE000 msvcrt.dll (Microsoft Corporation),
                                      version: 7.0.19041.546 (WinBuild.160101.0800)
    00007FF9C3300000-00007FF9C339B000 sechost.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C3130000-00007FF9C3254000 RPCRT4.dll (Microsoft Corporation),
                                      version: 10.0.19041.630 (WinBuild.160101.0800)
    00007FF9C3070000-00007FF9C309A000 GDI32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C2DA0000-00007FF9C2DC2000 win32u.dll (Microsoft Corporation),
                                      version: 10.0.19041.630 (WinBuild.160101.0800)
    00007FF9C2F60000-00007FF9C3069000 gdi32full.dll (Microsoft Corporation),
                                      version: 10.0.19041.572 (WinBuild.160101.0800)
    00007FF9C27A0000-00007FF9C283D000 msvcp_win.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C2BF0000-00007FF9C2CF0000 ucrtbase.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C4B10000-00007FF9C4CB0000 USER32.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9C4020000-00007FF9C414A000 ole32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C47B0000-00007FF9C4B05000 combase.dll (Microsoft Corporation),
                                      version: 10.0.19041.572 (WinBuild.160101.0800)
    00007FF9C3CA0000-00007FF9C3D6D000 OLEAUT32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C4750000-00007FF9C47A5000 SHLWAPI.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C33A0000-00007FF9C3AE1000 SHELL32.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9C2DD0000-00007FF9C2F2D000 CRYPT32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9ACAB0000-00007FF9ACACD000 ATL.DLL (Microsoft Corporation),
                                      version: 3.05.2284
    00007FF9B4E90000-00007FF9B512B000 COMCTL32.dll (Microsoft Corporation),
                                      version: 6.10 (WinBuild.160101.0800)
    00007FF9AFED0000-00007FF9B0076000 gdiplus.dll (Microsoft Corporation),
                                      version: 10.0.19041.630 (WinBuild.160101.0800)
    00007FF9B9A80000-00007FF9B9AA9000 Cabinet.dll (Microsoft Corporation),
                                      version: 5.00 (WinBuild.160101.0800)
    00007FF9B66B0000-00007FF9B689D000 urlmon.dll (Microsoft Corporation),
                                      version: 11.00.19041.610 (WinBuild.160101.0800)
    00007FF9A37A0000-00007FF9A37B2000 sfc_os.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9B8C10000-00007FF9B8CB2000 dwmapi.dll (Helmut Buhler),
                                      version: 1.0.0.0
    00007FF9BBB40000-00007FF9BBB91000 CRYPTUI.dll (Microsoft Corporation),
                                      version: 10.0.19041.572 (WinBuild.160101.0800)
    00007FF9C2F30000-00007FF9C2F57000 bcrypt.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C00C0000-00007FF9C015E000 UxTheme.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9B6E60000-00007FF9B7110000 iertutil.dll (Microsoft Corporation),
                                      version: 11.00.19041.630 (WinBuild.160101.0800)
    00007FF9C4F10000-00007FF9C4FBE000 shcore.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9B02E0000-00007FF9B02E7000 MSIMG32.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9B0080000-00007FF9B00E6000 OLEACC.dll (Microsoft Corporation),
                                      version: 7.2.19041.546 (WinBuild.160101.0800)
    00007FF9C3DF0000-00007FF9C3E20000 IMM32.DLL (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C07A0000-00007FF9C0F35000 windows.storage.dll (Microsoft Corporation),
                                      version: 10.0.19041.610 (WinBuild.160101.0800)
    00007FF9C2050000-00007FF9C207C000 Wldp.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C2680000-00007FF9C26A6000 profapi.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C05A0000-00007FF9C05B2000 kernel.appcore.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C2B70000-00007FF9C2BEF000 bcryptPrimitives.dll (Microsoft Corporation),
                                      version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF9C3E90000-00007FF9C3FA5000 MSCTF.dll (Microsoft Corporation),
                                      version: 10.0.19041.630 (WinBuild.160101.0800)
    00007FF9C3AF0000-00007FF9C3B99000 clbcatq.dll (Microsoft Corporation),
                                      version: 2001.12.10941.16384 (WinBuild.160101.080
    
    Process Trace
    1  C:\Program Files\Windows Sidebar\sidebar.exe [7568] 2020-11-20T21:53:49
    2  C:\Windows\explorer.exe [5352] 2020-11-20T21:53:23
    3  C:\Windows\System32\userinit.exe [4880] 2020-11-20T21:53:21 27.3s
    4  C:\Windows\System32\winlogon.exe [744] 2020-11-20T21:53:03
       winlogon.exe
    5  C:\Windows\System32\smss.exe [616] 2020-11-20T21:53:03 184ms
       \SystemRoot\System32\smss.exe 000000c0 00000084
    6  C:\Windows\System32\smss.exe [376] 2020-11-20T21:52:58
       \SystemRoot\System32\smss.exe
    
    Dropped Files
    1  C:\Users\Dave\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000386.db
         Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [5352]
    
    Thumbprints
    d4f3b7c0dee2f9f7c4198490fb70ec652f75d1f8109b7868cb5ae3ede296fce2
    e500dc76f8f79f4d9161eb1153e1d4abf36025175be0541e537b701580dd190e (code)
    e6025cb9b2b64533a20671d22e8f2e8e8a2a9c755386fb99cf7027e72c1f3407 (pfn)
    
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Hi Mark, thanks for keeping up the good work!

    I recently purchased a 2 year license renewal, and I'm sure that was a wise choice! :thumb:
     
  15. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,036
    Location:
    Baden Germany
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Yeah, I know it and gadgets are unsafe. I'm using 8GadgetPack and the only gadgets I have enabled are the analogue clock and the CPU / RAM Meter, neither of which access the internet, so I'm not too concerned.
     
  17. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,036
    Location:
    Baden Germany
    Have a look in Control Panel/Programms/Windows features, if gadgets it is still there,
    I highly recommend to remove it, along with several other components.
    For example:
    IE 11, PowerShell 2.0, Legacy Components, Mediafeatures, XPS Document Creator, SMB 1.0....
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Gadgets is not there because I installed Windows 10 without gadgets then installed 8GadgetPack as I mention earlier. This machine was not upgraded from Windows 7.

    The other programs do not exist either.

    Thanks for your concern.
     
  19. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,036
    Location:
    Baden Germany
    Strange,
    did 8GadgetPack install the sidebar?
    Anyway, I, me myself, would not use such stuff, but that's just me.
    Reason: Attack Surface Reduction.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,036
    Location:
    Baden Germany
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    If you read the links in my above post...
    Again, thank you for your concern.
     
  23. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    989
    No problems upgrading to build 887 RC.
     
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    ID: T1055.004
    Tactics: Defense Evasion, Privilege Escalation
    Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL).
    Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

    From the memory snippet in the alert details I can see that the APC is attempting to load this DLL into the SIDEBAR.EXE process: C:\Program Files (x86)\WiseVector\WiseVectorHelperOne_X64.dll. From another post here on WSF I've noticed it is legitimate software, even though their method is it not how you'd normally load code into other processes (I guess it's a good way to evade other product's defenses). I have published a new filter that allows WiseVector's specific code to run via APC. It may take a few hours for the new bloom to arrive.

    Mark
     
    Last edited: Nov 21, 2020
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    +1.

    Win 10 Pro v20H2 build 19042.630.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.