HitmanPro.ALERT Support and Discussion Thread

I see how what I wrote could have been misunderstood. Here's what happened: HMPA intercepted the ESET Online Scanner and issued the alert automatically. I then manually added the scanner to the exploit mitigations, and the next time I launched the scanner, there were no alerts and the scanner ran normally.

 

OK my bad, then I indeed misunderstood. It seems to be a false positive from HMPA in this case.

 

It's the Local Priviilege Mitigation option that causes the problems with WLM.

 

Nope, HeapHeap is global/machine wide, we'll take action on your end.

 

Okay weird, I'd suggest to leave it off for now.
I'll see if we can reproduce this, do you have any other security software installed?

 

Kaspersky Standard anti-virus (payed version).

 

Crypto Guard kicked in for me last night when applying the latest Windows Update KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024 - Microsoft Support

Code:

KB5034441

Windows Recovery Environment Update Installer

C:\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe
 
The application has accessed and encrypted multiple productivity files (documents, photos and similar file types). This is indicative of a crypto-ransomware attack. The manipulated files were restored to their original state.

MITRE ATT&CK

Data Destruction - ID: T1485, Tactic: Impact
Data Encrypted for Impact - ID: T1486, Tactic: Impact

Details

Mitigation   CryptoGuard
Timestamp    2024-01-09T19:36:18

Platform     10.0.19045/x64 v977 06_9e
PID          12912
Application  C:\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe
Created      2024-01-09T19:35:35
Description  Windows Recovery Environment Update Installer 10

Filename     C:\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe

Detection    Generic.Ransom.C

 1*C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.19041.3745_none_3c4a0593c0370964\sppinst.dll
   Opened L37232, Read T37376|100% H32768|^431398 #1,w6,LT

 2*C:\Windows\TEMP\de10e23f-17f5-4fcd-9cc3-06e1a903fe62
   Overwritten L0, Read T23552 H19116|^241, Write T23552 H19116|^241 #2,r5,LT

 3 C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..k-transformers-core_31bf3856ad364e35_10.0.19041.3745_none_84a2dd11d26f2c9c\PrimitiveTransformers.dll
   Opened L49648, Read T49664|100% H32768 #3

 4*C:\Windows\TEMP\b24c8964-40d5-44f6-a1da-b08f07bf4269
   Overwritten L0, Read T33280 H28672|^257, Write T33280 H28672|^257 #4,r10,LT

 5*C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\SetIEInstalledDateAI.dll
   Opened L23520, Read T23552|100% H23520|^344275 #5,w2,LT

 6*C:\Windows\TEMP\3b2bf574-8091-4161-b7f1-146132aa5df8
   Overwritten L0, Read T37888 H28672|^256, Write T37888 H28672|^256 #6,r1,LT

 7 C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\servicemodelregai.dll
   Opened L74728, Read T74752|100% H32768|^338392 #7

 8 C:\Windows\TEMP\de10e23f-17f5-4fcd-9cc3-06e1a903fe62
   Overwritten L0, Read T16896 H16804|^251, Write T16896 H16804|^251 #8

 9 C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\PrintAdvancedInstaller.dll
   Opened L92656, Read T92672|100% H32768|^299489 #9

10*C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\peerdistai.dll
   Opened L33136, Read T33280|100% H32768|^363570 #10,w4,LT

11*C:\Windows\TEMP\c745e4f6-f6f5-4c82-9692-f8c6feddfaed
   Overwritten L0, Read T25600 H25470|^268, Write T25600 H25470|^268 #11,r12,LT

12*C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\netfxconfig.dll
   Opened L27008, Read T27136|100% H27008|^264753 #12,w11,LT

13 C:\Windows\TEMP\3b2bf574-8091-4161-b7f1-146132aa5df8
   Overwritten L0, Read T16896 H16440|^223, Write T16896 H16440|^223 #13

14 C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\msdtcadvancedinstaller.dll
   Opened L53736, Read T53760|100% H32768|^400906 #14

15 C:\Windows\TEMP\c745e4f6-f6f5-4c82-9692-f8c6feddfaed
   Overwritten L0, Read T16896 H16474|^262, Write T16896 H16474|^262 #15

16*C:\$WinREAgent\Scratch\Mount\Windows\WinSxS\x86_microsoft-windows-s..ingstack-base-extra_31bf3856ad364e35_10.0.19041.3745_none_37742d83c051b104\IEFileInstallAI.dll
   Opened L34272, Read T34304|100% H32768|^372473 #16,w17,LT

17*C:\Windows\TEMP\b24c8964-40d5-44f6-a1da-b08f07bf4269
   Overwritten L0, Read T35840 H24576|^240, Write T35840 H24576|^240 #17,r16,LT



Loaded Modules (57)
-----------------------------------------------------------------------------
00007FF702910000-00007FF70292A000 WinREUpdateInstaller.exe (Microsoft Corporation),
                                  Version: 10.0.19041.3929
00007FFFF05F0000-00007FFFF07E8000 ntdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3693
00007FFFEFCE0000-00007FFFEFD9D000 KERNEL32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFED910000-00007FFFEDA57000 hmpalert.dll (Sophos B.V.),
                                  Version: 3.8.25.977
00007FFFEE240000-00007FFFEE536000 KERNELBASE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3803
00007FFFEE0F0000-00007FFFEE1F0000 ucrtbase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFF0210000-00007FFFF033B000 ole32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFF0060000-00007FFFF0186000 RPCRT4.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3758
00007FFFEEF50000-00007FFFEF2A4000 combase.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFF04C0000-00007FFFF04EC000 GDI32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEE0C0000-00007FFFEE0E2000 win32u.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3803
00007FFFEDEC0000-00007FFFEDFDA000 gdi32full.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3803
00007FFFEE540000-00007FFFEE5DD000 msvcp_win.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEEDB0000-00007FFFEEF4E000 USER32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3803
00007FFFEDCD0000-00007FFFEDE2D000 CRYPT32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEF2B0000-00007FFFEF37D000 OLEAUT32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEE5E0000-00007FFFEE647000 WINTRUST.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFF0340000-00007FFFF03DE000 msvcrt.dll (Microsoft Corporation),
                                  Version: 7.0.19041.3636
00007FFF50B70000-00007FFF50BF7000 WinREAgent.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3929
00007FFFF03E0000-00007FFFF048F000 ADVAPI32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3693
00007FFFEEB80000-00007FFFEEC1C000 sechost.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEE090000-00007FFFEE0B7000 bcrypt.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFDFCC0000-00007FFFDFDD1000 DismApi.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.3758
00007FFF630E0000-00007FFF63123000 WDSCORE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF50A50000-00007FFF50B6A000 ReAgent.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFF01F0000-00007FFFF020D000 imagehlp.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF50990000-00007FFF50A4E000 WIMGAPI.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFE1A40000-00007FFFE1A4B000 ktmw32.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFE2830000-00007FFFE283A000 VERSION.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFDD6C0000-00007FFFDD6E9000 Cabinet.dll (Microsoft Corporation),
                                  Version: 5.0.1.1
00007FFFED750000-00007FFFED762000 MSASN1.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEC3D0000-00007FFFEC3E2000 kernel.appcore.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3758
00007FFFEDE30000-00007FFFEDEB2000 bcryptPrimitives.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFED510000-00007FFFED528000 CRYPTSP.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFECBE0000-00007FFFECC14000 rsaenh.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFED530000-00007FFFED53C000 CRYPTBASE.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEC3F0000-00007FFFEC413000 gpapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEB7F0000-00007FFFEB9D4000 dbghelp.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFD9CE0000-00007FFFD9D14000 dbgcore.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF8DDC0000-00007FFF8DE27000 DismCore.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF50950000-00007FFF50982000 DismCorePS.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3758
00007FFFF04F0000-00007FFFF0599000 clbcatq.dll (Microsoft Corporation),
                                  Version: 2001.12.10941.16384
00007FFFA7DF0000-00007FFFA7E05000 LogProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF508E0000-00007FFF508F2000 FolderProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF50840000-00007FFF508DF000 FfuProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF507A0000-00007FFF50836000 WimProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFE4BC0000-00007FFFE4BF6000 XmlLite.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEDC00000-00007FFFEDC25000 profapi.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF50710000-00007FFF5079E000 VHDProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFF506D0000-00007FFF50708000 ImagingProvider.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFECD20000-00007FFFECD53000 ntmarta.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFD4CC0000-00007FFFD4F1F000 msxml6.dll (Microsoft Corporation),
                                  Version: 6.30.19041.3636
00007FFF51030000-00007FFF51071000 dismprov.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFEDBB0000-00007FFFEDBE2000 sspicli.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFED290000-00007FFFED31C000 msv1_0.DLL (Microsoft Corporation),
                                  Version: 10.0.19041.3693
00007FFFED270000-00007FFFED284000 NtlmShared.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636
00007FFFED390000-00007FFFED3A5000 cryptdll.dll (Microsoft Corporation),
                                  Version: 10.0.19041.3636

Process Trace
1  C:\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
2  C:\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
3  C:\Windows\System32\wuauclt.exe [17512]
   "C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId ffdc0090-1631-4dac-9d68-89859a140e72 /RunHandlerComServer
4  C:\Windows\System32\MoUsoCoreWorker.exe [17172]
   C:\Windows\System32\mousocoreworker.exe -Embedding
5  C:\Windows\System32\svchost.exe [1028]
   C:\Windows\system32\svchost.exe -k DcomLaunch -p
6  C:\Windows\System32\services.exe [576]
7  C:\Windows\System32\wininit.exe [944]
   wininit.exe

Services
1028  BrokerInfrastructure
1028  DcomLaunch
1028  PlugPlay
1028  Power
1028  SystemEventsBroker

Dropped Files
1  C:\Windows\TEMP\d03a87a5-19bc-49d4-ad17-e94dfbec924f
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
2  C:\Windows\TEMP\586f62f8-d293-44fe-b21b-5adf0745682b
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
3  C:\Windows\TEMP\dc36bb01-e3eb-4679-bc2d-c32cdd6df015
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
4  C:\Windows\TEMP\0af3b90d-7200-41b0-8844-eda0c6f56661
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
5  C:\Windows\TEMP\8ab8f449-b798-4889-9618-6b6906043904
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
6  C:\Windows\TEMP\85659bb3-396a-4679-acca-00034f0d28f2
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
7  C:\Windows\TEMP\b24c8964-40d5-44f6-a1da-b08f07bf4269
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
8  C:\Windows\TEMP\c745e4f6-f6f5-4c82-9692-f8c6feddfaed
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
9  C:\Windows\TEMP\e788725f-21e3-4b87-b528-f36f375dde41
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
10 C:\Windows\TEMP\eefd7461-ec11-4c87-8f3c-5737564f5d7a
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
11 C:\Windows\TEMP\c9ac6d04-3146-490d-a048-ba988b30ee32
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
12 C:\Windows\TEMP\3b2bf574-8091-4161-b7f1-146132aa5df8
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
13 C:\Windows\TEMP\de10e23f-17f5-4fcd-9cc3-06e1a903fe62
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
14 C:\Windows\TEMP\d19ee799-dad8-4f28-90d2-f0fd25fb0646
     Dropped by \Device\HarddiskVolume4\Windows\Temp\IXP000.TMP\WinREUpdateInstaller.exe [12912]
1  C:\Windows\TEMP\IXP000.TMP\TMP4351$.TMP
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
2  C:\Windows\TEMP\IXP000.TMP\SSU-19041.3745-x64.cab
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
3  C:\Windows\TEMP\IXP000.TMP\windows10.0-kb5034232-x64.cab
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
4  C:\Windows\TEMP\IXP000.TMP\windows10.0-kb5034441-x64.cab
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
5  C:\Windows\TEMP\IXP000.TMP\WinREAgent.dll
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
6  C:\Windows\TEMP\IXP000.TMP\WinREServicingMetadata.xml
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
7  C:\Windows\TEMP\IXP000.TMP\WinREUpdateInstaller.exe
     Dropped by \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\WinREUpdateInstaller_2401B_amd64.exe [9420]
1  C:\ProgramData\USOPrivate\UpdateStore\store.db-journal
     Dropped by \Device\HarddiskVolume4\Windows\System32\MoUsoCoreWorker.exe [17172]
2  C:\ProgramData\USOShared\Logs\System\MoUsoCoreWorker.e434cad2-9184-4a69-a4b9-1c3245a6da93.2.etl
     Dropped by \Device\HarddiskVolume4\Windows\System32\MoUsoCoreWorker.exe [17172]
1  C:\Windows\INF\oem6.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
2  C:\Windows\INF\oem28.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
3  C:\Windows\INF\oem189.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
4  C:\Windows\INF\oem74.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
5  C:\Windows\INF\oem205.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
6  C:\Windows\INF\oem13.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
7  C:\Windows\INF\oem138.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
8  C:\Windows\INF\oem202.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
9  C:\Windows\INF\oem65.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
10 C:\Windows\INF\oem129.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
11 C:\Windows\INF\oem9.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
12 C:\Windows\INF\oem67.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
13 C:\Windows\INF\oem136.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
14 C:\Windows\INF\oem131.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
15 C:\Windows\INF\oem137.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
16 C:\Windows\INF\oem69.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
17 C:\Windows\INF\oem182.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
18 C:\Windows\INF\oem187.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
19 C:\Windows\INF\oem227.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
20 C:\Windows\INF\oem133.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
21 C:\Windows\INF\oem75.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
22 C:\Windows\INF\oem56.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
23 C:\Windows\INF\oem186.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
24 C:\Windows\INF\oem43.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
25 C:\Windows\INF\oem223.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
26 C:\Windows\INF\oem4.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
27 C:\Windows\INF\oem22.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
28 C:\Windows\INF\oem1.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
29 C:\Windows\INF\oem72.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
30 C:\Windows\INF\oem34.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
31 C:\Windows\INF\oem29.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
32 C:\Windows\INF\oem7.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
33 C:\Windows\INF\oem3.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
34 C:\Windows\INF\oem159.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
35 C:\Windows\INF\oem54.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
36 C:\Windows\INF\oem17.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]
37 C:\Windows\INF\oem164.PNF
     Dropped by \Device\HarddiskVolume4\Windows\System32\services.exe [576]

Thumbprints
b59410d0daa59300275ff7230ae0babda50cf1b31748fdf9ce528915218e5788 (ALG5)
93c92a499d0c4bf118bbf73699039b949ff6e5eef205a6dc492c69f72ef8ba07 (SIG)
b49bad2508b03112b076b81f6be4429d3fb946a7d2d3a1afdde3ab51079021d6

 

Idem here with W10 Pro x86

~ Removed VirusTotal Results Image as per Policy

https://www.wilderssecurity.com/thr...otti-virus-total-results.180057/#post-1040840

 

A machine on 947 stable auto-updated a few days, everything fine so far.

 

Should not happen again, we've suppressed this centrally.

 

Thank you.

 

@RonnyT: I'm hoping you might be able to help me or point me in the right direction...I've been dealing with an issue involving HMPA and Vivaldi...I have been in touch with Rick in HMPA Tech Support and I've started a thread on the Vivaldi Forum that should provide the particulars...

https://forum.vivaldi.net/topic/944...related-errors-in-windows-event-viewer?page=1

Thank you in advance for your time and anticipated support with this issue...It is greatly appreciated!

 

@netarchitech
Very strange problem, am actually running HMPA and Windows Defender and i 've no windows event viewer related to Vivaldi x64 that am actually using on W10 21H2, my setup is running for several months. But the reality is that you and other users have trouble, so something wrong somewhere.

 

HitmanPro.Alert 3.8.26 Build 979

Changelog (compared to 977)

• Fixed Intruder/Safe Browsing compatibly issue introduced by a recent Bitdefender update.
  
• Improved HeapHeapProtect, improved handing in code and added more whitelisting options to alerts.
• Improved SendKeysGuard, switched the main thumbprint to handle whitelisting more easy.
  
• Improved HWBGuard (Silent).
• Improved HollowProcess/HWBGuard, to prevent exception pointer abuse.

Download
https://dl.surfright.nl/hmpalert3b979.exe

Please let us know how this version runs on your machine

 

That one is on the known issues list here, just not sure when we'll see a fix, depends on prio's.

 

I understand...Good to know it's on the Known Issues List...Thanks for the swift response!

I'll install Build 979 and see if that has any effect...Will report back here if I find anything encouraging...

 

@Rules Thanks for posting and providing additional perspective...Yeah, it's a little weird...Hopefully the Devs at SurfRight/Sophos will be able to take a look somewhere a little further on down the road...In the meantime, per the suggestion of Rick at HMPA Tech Support, I'm now working with Vivaldi x86 and the Error Flood has thankfully stopped

 

No issues with build 979.

 

Hi RonnyT.
No issues (W10 PRO 22H2 with Kaspersky Standard)

 

Mitigation PrivGuard
Timestamp 2024-02-17T10:43:52

Platform 10.0.19045/x64 v979 06_4e
PID 744
Application C:\Windows\System32\rundll32.exe
Created 2023-11-14T19:36:05
Description Windows-hostproces (Rundll32) 10

Sweep

Code Injection
0000000000B60000-0000000000B62000 8KB C:\Program Files\Sandboxie-Plus\SbieSvc.exe [2992]
00007FFE04144000-00007FFE04145000 4KB
1 C:\Program Files\Sandboxie-Plus\SbieSvc.exe [2992]
2 C:\Windows\System32\services.exe [920]
3 C:\Windows\System32\wininit.exe [816]
wininit.exe

Process Trace
1 C:\Windows\System32\rundll32.exe [744]
C:\WINDOWS\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
2 C:\Program Files\Sandboxie-Plus\SandboxieDcomLaunch.exe [9520]
3 C:\Program Files\Sandboxie-Plus\SandboxieRpcSs.exe [3768]
4 C:\Program Files\Sandboxie-Plus\SbieSvc.exe [2992]
5 C:\Windows\System32\services.exe [920]
6 C:\Windows\System32\wininit.exe [816]
wininit.exe

Services
2992 SbieSvc

Dropped Files

Thumbprints
09c9bb3ad81234bd83f4f138b5dc905fac6d166561e7146e242107103d60f84a

 

As of HitmanPro.Alert 3.8.26 Build 979, I keep seeing a lot of event-id 11 entries in the log for Win11 regarding hmpalert

Code:

Log Name:      System
Source:        Microsoft-Windows-FilterManager
Date:          2024-02-20 10:57:12
Event ID:      11
Task Category: None
File System Filter 'hmpalert' (Version 0.0, ?2024?-?02?-?05T13:56:36.000000000Z) does not support bypass IO.
Supported features: 0x4.
 

Is this now a normal warning?

 

@Adric
Don't have this type of log on W10
Maybe only related to W11, i found this info :
https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/bypassio

 

Sandboxie causes this every now and then, suppress alert should resolve this

 

Yes, our protection depends on it, bypass IO blindsides the filter driver.