HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    356
    Location:
    Planet Earth
    Thanks we'll be looking in to it.
     
  2. lawdude

    lawdude Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    39
    I just bought a new computer and would like to uninstall hitmanpro.alert/hitmanpro from old one and reinstall on new one. Can anyone enlighten me on this procedure please.

    [Edit] Got it done. Relatively easy. An email to the right person did it.
     
    Last edited: Aug 23, 2021
  3. Garf99

    Garf99 Registered Member

    Joined:
    Oct 14, 2016
    Posts:
    8
    Location:
    USA
    Hi,
    HMPA (3.8.14 build 907) is raising a "Generic ML PUA " alert on a new version of Photomatix Pro 6 graphics software, on PhotomatixPro6\PhotomatixProcessingServer.exe
    This seems like a false positive, no other virustotal source (including Sophos) detects it, can you please check and whitelist if wrong?

    Thanks
     
    Last edited by a moderator: Aug 26, 2021
  4. Garf99

    Garf99 Registered Member

    Joined:
    Oct 14, 2016
    Posts:
    8
    Location:
    USA
    Sorry wrong virustotal link - Sophos is the only engine indicating it as PUA
     
    Last edited by a moderator: Aug 26, 2021
  5. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    249
    I see such exclamation marks in many places, not just here. What do they mean?

    2021-09-09_080440.jpg
     
  6. Erastus Seymour Pott

    Erastus Seymour Pott Registered Member

    Joined:
    Jan 17, 2017
    Posts:
    12
    Location:
    UK
    Hi,

    Is it possible to change the way the data is formatted in HitmanPro.Alert Windows event log entries?

    At the moment, all the useful data seems to be plonked in to a single XML Data field:

    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="HitmanPro.Alert" />
      <EventID Qualifiers="0">911</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2021-06-06T09:31:54.2282584Z" />
      <EventRecordID>36144</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>Computer-Name</Computer>
      <Security />
      </System>
    - <EventData>
      <Data>C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe</Data>
      <Data>Lockdown</Data>
      <Data>Mitigation Lockdown Timestamp 2021-06-06T09:31:54 Platform 10.0.19042/x64 v504 06_3f PID 23104 Enabled 005D0A3E1D9921A4 Silent 0048000000000100 Application C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe Created 2021-06-06T09:05:42 Modified 2021-06-06T09:05:42 Description Java(TM) Web Launcher 8 Filename C:\Users\username\AppData\Local\Temp\1622971914128\1622971914128_stunnel.exe Created By C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe Lockdown type: DenyNewFileExecute Command line: "C:\Users\username\AppData\Local\Temp\1622971914128\1622971914128_stunnel.exe" C:\Users\username\AppData\Local\Temp\1622971914128\stunnel.conf Loaded Modules (98) ----------------------------------------------------------------------------- 0000000054B90000-00000000553F0000 C:\Program Files\Java\jre1.8.0_291\bin\server\jvm.dll (Oracle Corporation), version: 8.0.2910.10 0000000180000000-0000000180059000 C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5a1cda62-3a3808a4-n\SharedLibrary64.dll (), version: 00007FF7D4D30000-00007FF7D4D59000 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe (Oracle Corporation), version: 11.291.2.10 00007FFCB8DA0000-00007FFCBB1AE000 C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5a1cda62-3a3808a4-n\iKVM64.dll (), version: 00007FFCD78C0000-00007FFCD7A55000 C:\Program Files\Java\jre1.8.0_291\bin\awt.dll (Oracle Corporation), version: 8.0.2910.10 00007FFCF4EB0000-00007FFCF4FD6000 C:\WINDOWS\system32\opengl32.dll (Microsoft Corporation), version: 10.0.19041.928 (WinBuild.160101.0800) 00007FFCF5860000-00007FFCF588C000 C:\WINDOWS\SYSTEM32\GLU32.dll (Microsoft Corporation), version: 10.0.19041.844 (WinBuild.160101.0800)
     
      SNIP
     
      00007FFD3E610000-00007FFD3E805000 C:\Windows\System32\ntdll.dll (Microsoft Corporation), version: 10.0.19041.964 (WinBuild.160101.0800) Process Trace 1 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe [23104] "C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWN...EZp 2 C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe [10220] "C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" "C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\O5QEAJHB\launch.jnlp" 3 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe [13340] "C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -securejws "C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\O5QEAJHB\launch.jnlp" 4 C:\Program Files\Internet Explorer\iexplore.exe [21576] 5 C:\Windows\explorer.exe [7340] 6 C:\Windows\System32\userinit.exe [7304] 7 C:\Windows\System32\winlogon.exe [1040] winlogon.exe 8 C:\Windows\System32\smss.exe [908] \SystemRoot\System32\smss.exe 000000d0 00000084 9 C:\Windows\System32\smss.exe [548] \SystemRoot\System32\smss.exe Thumbprint f794850c18b27f5eec1cf3eadb3580384a177baa40024f17747ce0575f7a6a66</Data>
      </EventData>
      </Event>
    Would it be possible to break the data out in to named data fields ? ie:

    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="HitmanPro.Alert" />
      <EventID Qualifiers="0">911</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2021-06-06T09:31:54.2282584Z" />
      <EventRecordID>36144</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>Computer-Name</Computer>
      <Security />
      </System>
    <EventData>
      <Data Name="Mitigation">Lockdown</Data>
      <Data Name="Timestamp">2021-06-06T09:31:54</Data>
      <Data Name="Platform">10.0.19042/x64 v504 06_3f</Data>
      <Data Name="PID">23104</Data>
      <Data Name="Enabled">005D0A3E1D9921A4</Data>
      <Data Name="Silent">0048000000000100</Data>
      <Data Name="Application">C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe</Data>
      <Data Name="Created">2021-06-06T09:05:42</Data>
      <Data Name="Modified">2021-06-06T09:05:42</Data>
      <Data Name="Description">Java(TM) Web Launcher 8</Data>
      <Data Name="Filename">C:\Users\username\AppData\Local\Temp\1622971914128\1622971914128_stunnel.exe</Data>
      <Data Name="Created By">C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe</Data>
      <Data Name="Mitigation Type">DenyNewFileExecute</Data>
      <Data Name="Command Line">"C:\Users\username\AppData\Local\Temp\1622971914128\1622971914128_stunnel.exe" C:\Users\username\AppData\Local\Temp\1622971914128\stunnel.conf</Data>
      <Data Name="Loaded Modules">(98) ----------------------------------------------------------------------------- 0000000054B90000-00000000553F0000 C:\Program Files\Java\jre1.8.0_291\bin\server\jvm.dll (Oracle Corporation), version: 8.0.2910.10 0000000180000000-0000000180059000 C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5a1cda62-3a3808a4-n\SharedLibrary64.dll (), version: 00007FF7D4D30000-00007FF7D4D59000 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe (Oracle Corporation), version: 11.291.2.10 00007FFCB8DA0000-00007FFCBB1AE000 C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\5a1cda62-3a3808a4-n\iKVM64.dll (), version: 00007FFCD78C0000-00007FFCD7A55000 C:\Program Files\Java\jre1.8.0_291\bin\awt.dll (Oracle Corporation), version: 8.0.2910.10 00007FFCF4EB0000-00007FFCF4FD6000 C:\WINDOWS\system32\opengl32.dll (Microsoft Corporation), version: 10.0.19041.928 (WinBuild.160101.0800) 00007FFCF5860000-00007FFCF588C000 C:\WINDOWS\SYSTEM32\GLU32.dll (Microsoft Corporation), version: 10.0.19041.844 (WinBuild.160101.0800)
     
      SNIP
     
      00007FFD3E610000-00007FFD3E805000 C:\Windows\System32\ntdll.dll (Microsoft Corporation), version: 10.0.19041.964 (WinBuild.160101.0800) Process Trace 1 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe [23104] "C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWN...EZp 2 C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe [10220] "C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" "C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\O5QEAJHB\launch.jnlp" 3 C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe [13340] "C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -securejws "C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\O5QEAJHB\launch.jnlp" 4 C:\Program Files\Internet Explorer\iexplore.exe [21576] 5 C:\Windows\explorer.exe [7340] 6 C:\Windows\System32\userinit.exe [7304] 7 C:\Windows\System32\winlogon.exe [1040] winlogon.exe 8 C:\Windows\System32\smss.exe [908] \SystemRoot\System32\smss.exe 000000d0 00000084 9 C:\Windows\System32\smss.exe [548] \SystemRoot\System32\smss.exe Thumbprint f794850c18b27f5eec1cf3eadb3580384a177baa40024f17747ce0575f7a6a66</Data>
      </EventData>
      </Event>
    This would help with central monitoring and subsequent parsing of the event log entries with other tools.

    Thanks
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,558
    Location:
    Outer space
    Yeah, I see them in exploit migation -> applications.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,394
    Location:
    Under a bushel ...
    Many applications here, but don't see any with '!' ...
     
  9. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    249
    Why? What do they mean?
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,558
    Location:
    Outer space
    I have no idea.
    hmpa.png
    When I click on Brave or Firefox, everything looks fine and I don't have exclamation marks on the mitigations itself.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,062
    Location:
    Among the gum trees
    Kinda weird. I don't have those exclamation marks on those programs here.
     
  12. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,488
    When I uncheck one of the mitigation check boxes for a certain app, I see the exclamation mark. Reverting to defaults or enabling the checkbox(s) you disabled will remove the exclamation mark. At least it does for me.
     
    Last edited: Sep 14, 2021
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,558
    Location:
    Outer space
    Ah yes that seems to be it. I have all exploit mitigations enabled for Firefox and Brave, but not keystroke encryption. Though keystroke encryption is in the safe browsing menu, and not exploit mitigations menu. There is no exclamation mark in the browser list. Enabling keystroke encryption does remove the exclamation mark in the list of applications in the exploit mitigations menu though.
     
  14. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    249
    Then it probably warns you about a deviation from the default (recommended) setting.
     
  15. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    107
    I think so.
     
  16. osmandemi

    osmandemi Registered Member

    Joined:
    May 5, 2010
    Posts:
    81
    norton security pua o_O
     

    Attached Files:

  17. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,155
    Location:
    Brooklyn, NY
    From the scanner's point of view, it's legitimate. Is there an option to skip over it next time HitmanPro scans? If not, maybe SurfRight can add that option or some other method since Norton has such a large consumer base.

    Still, it would be strange to whitelist a mining software. But anyway.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,011
    Location:
    .
    Last edited: Sep 18, 2021
  19. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    991
    Properties
    Name NCrypt.exe
    Location C:\Program Files\Norton Security\Engine\22.21.8.62
    Size 3.9 MB
    Time 0.0 days ago (2021-09-19 14:21:56)
    Authenticode Valid
    Entropy 6.4
    Product NCrypt.
    Publisher NortonLifeLock Inc.
    Description NCrypt binary.
    Version 1.0.0.59
    Copyright Copyright (c) 2021 NortonLifeLock Inc.
    RSA Key Size 2048
    LanguageID 1033
    SHA-256 31E9FC77A07D3F6DE9D0B9687D7D28786BE04E41413F454670814B94929F0FBE
     
  20. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    356
    Location:
    Planet Earth
    Correct
     
  21. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    356
    Location:
    Planet Earth
    Yeah that's their coinminer, we're looking in to it but I'm pretty sure we'll flag that again in the future.
     
  22. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    36
    Location:
    Nederlands
  23. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,036
    Location:
    Baden Germany
    A miner within a security software is a No-Go.
    Please flag and kick out Norton.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,062
    Location:
    Among the gum trees
    Another issue with 0Patch.
    Mitigation ROP
    Timestamp 2021-10-13T19:40:50

    Platform 10.0.19043/x64 v911 06_5e
    PID 15280
    Feature 007D1A345FBFB0B6
    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Created 2021-10-05T13:55:54
    Description Firefox 93

    Callee Type LoadLibrary
    C:\Program Files (x86)\0patch\Agent\0patchLoaderX64.dll
    0x00007FFC50E70000 (8192 bytes)

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFC50E104B6 (anonymous)

    2 00007FFC50D2C1E8 ntdll.dll
    a0c5c150fc7f000020 MOV AL, [0x2000007ffc50c1c5]
    c3 RET


    Loaded Modules (31)
    -----------------------------------------------------------------------------
    00007FF685A10000-00007FF685AA9000 firefox.exe (Mozilla Corporation),
    version: 93.0
    00007FFC50C10000-00007FFC50E05000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19041.1288 (WinBuild.160101.0800)
    00007FFC4F580000-00007FFC4F63E000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19041.1202 (WinBuild.160101.0800)
    00007FFC4E150000-00007FFC4E266000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.15.911
    00007FFC4E630000-00007FFC4E8F9000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19041.1202 (WinBuild.160101.0800)
    00000000712B0000-00000000715DA000 IPSEng64.dll (Broadcom),
    version: 17.2.6.25
    00007FFC4FFB0000-00007FFC5005C000 ADVAPI32.dll (Microsoft Corporation),
    version: 10.0.19041.1052 (WinBuild.160101.0800)
    00007FFC4EC60000-00007FFC4ECFE000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.19041.546 (WinBuild.160101.0800)
    00007FFC4F300000-00007FFC4F39B000 sechost.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    00007FFC50060000-00007FFC5018A000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.19041.1288 (WinBuild.160101.0800)
    00007FFC4FE00000-00007FFC4FE08000 PSAPI.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FFC4E420000-00007FFC4E520000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    00007FFC476B0000-00007FFC47745000 mozglue.dll (Mozilla Foundation),
    version: 93.0
    00007FFC4E9C0000-00007FFC4EB16000 CRYPT32.dll (Microsoft Corporation),
    version: 10.0.19041.1202 (WinBuild.160101.0800)
    000001A5AA320000-000001A5AA380000 WINTRUST.dll (Microsoft Corporation),
    version: 10.0.19041.1266 (WinBuild.160101.0800)
    00007FFC37FC0000-00007FFC38051000 MSVCP140.dll (Microsoft Corporation),
    version: 14.27.29112.0 built by: vcwrkspc
    00007FFC37FA0000-00007FFC37FB9000 VCRUNTIME140.dll (Microsoft Corporation),
    version: 14.27.29112.0 built by: vcwrkspc
    00007FFC4DCF0000-00007FFC4DED4000 dbghelp.dll (Microsoft Corporation),
    version: 10.0.19041.867 (WinBuild.160101.0800)
    00007FFC4DEE0000-00007FFC4DEEA000 VERSION.dll (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FFC37F90000-00007FFC37F9C000 VCRUNTIME140_1.dll (Microsoft Corporation),
    version: 14.27.29112.0 built by: vcwrkspc
    00007FFC4D7D0000-00007FFC4D7DC000 CRYPTBASE.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FFC4DA50000-00007FFC4DA62000 MSASN1.dll (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FFC4DFA0000-00007FFC4E060000 0patchLoaderX64.dll (Acros Security),
    version: 21.05.05.10500
    00007FFC4F0C0000-00007FFC4F261000 USER32.dll (Microsoft Corporation),
    version: 10.0.19041.1202 (WinBuild.160101.0800)
    00007FFC4E990000-00007FFC4E9B2000 win32u.dll (Microsoft Corporation),
    version: 10.0.19041.1288 (WinBuild.160101.0800)
    00007FFC4F270000-00007FFC4F29B000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19041.1202 (WinBuild.160101.0800)
    00007FFC4E520000-00007FFC4E62B000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19041.1110 (WinBuild.160101.0800)
    00007FFC4E330000-00007FFC4E3CD000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    00007FFC4DCC0000-00007FFC4DCEC000 dbgcore.DLL (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    00007FFC50220000-00007FFC50250000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FFC4DC80000-00007FFC4DCB3000 ntmarta.dll (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)

    Code Injection
    000001A5A93CF000-000001A5A93D0000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [5404]
    00007FFC50CAD000-00007FFC50CAE000 4KB
    00007FFC50CAF000-00007FFC50CB0000 4KB
    00007FFC50CAC000-00007FFC50CAD000 4KB
    0000000000350000-0000000000351000 4KB
    1 C:\Program Files\Mozilla Firefox\firefox.exe [5404]
    2 C:\Program Files\Mozilla Firefox\firefox.exe [10920]
    3 C:\Windows\explorer.exe [792]

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [15280]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5404.4.936363382\804809088" -childID 3 -isForBrowser -prefsHandle 4884 -prefMapHandle 4864 -prefsLen 5985 -prefMapSize 263615 -jsInit 1768 286204 -parentBuildID 20210927210923 -appdir "
    2 C:\Program Files\Mozilla Firefox\firefox.exe [5404]
    3 C:\Program Files\Mozilla Firefox\firefox.exe [10920]
    4 C:\Windows\explorer.exe [792]

    Dropped Files
    1 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\places.sqlite-shm
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    2 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\favicons.sqlite-shm
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    3 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\BB95D0607349D05725D5FE01D4FB300E319072AD
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    4 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\58076067EBEB56951E5BA3FCA84F5F2CE2203F7A
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    5 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    6 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    7 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\search.json.mozlz4
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    8 C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.json
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    9 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\extension-settings.json.tmp
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    10 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\datareporting\glean\db\data.safe.bin
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    11 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\prefs-2.js
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    12 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\608D9D243E56D55EAE70EF3DF04BCA909D72319D
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    13 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage.sqlite-journal
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    14 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++da74ebad-64c8-4e3a-bfb3-749c98aa23b9^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shm
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    15 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++da74ebad-64c8-4e3a-bfb3-749c98aa23b9^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    16 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\679F117B4E71841CD87443F1C6F249C166F43F9E
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    17 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\startupCache\webext.sc.lz4.tmp
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    18 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++d9d93efc-ee86-4a7d-b5fc-9e3c5da4771e^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shm
    Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [5404]
    1 C:\Users\David\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
    Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [792]
    2 C:\Users\David\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
    Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [792]
    3 C:\Users\David\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
    Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [792]
    4 C:\Users\David\AppData\Local\Microsoft\Windows\INetCache\IE\RA3W2Q7R\AAehLNN[1].svg
    Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [792]
    Read by \Device\HarddiskVolume4\Windows\explorer.exe [792]

    Thumbprints
    N/A
     
  25. senf123

    senf123 Registered Member

    Joined:
    Mar 14, 2010
    Posts:
    1
    new adguard update: FP?

    Mitigation MalwareBlocked
    Timestamp 2021-10-14T07:03:12

    Platform 10.0.19042/x64 v907 af_50
    PID 988
    Application C:\Program Files (x86)\Adguard\AdguardSvc.exe
    Created 2021-04-23T22:44:04
    Description CXmail/MalPE-DQ


    Process Trace
    1 C:\Windows\System32\services.exe [988] 2021-10-14T06:53:15
    2 C:\Windows\System32\wininit.exe [912] 2021-10-14T06:53:15
    wininit.exe
    3 C:\Windows\System32\smss.exe [700] 2021-10-14T06:53:14 747ms
    \SystemRoot\System32\smss.exe 00000104 00000084
    4 C:\Windows\System32\smss.exe [548] 2021-10-14T06:53:13
    \SystemRoot\System32\smss.exe

    Dropped Files

    Thumbprints
    2d176f55f611195319e57d4634cf45c87cf1fdc2f69305f0e0055e349073e942
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.