HitmanPro.Alert BETA

Then why post in the beta thread? You would be better off posting here:

https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/

 

0Patch ROP... Again.

Spoiler: 0Patch ROP

Mitigation ROP
Timestamp 2021-10-17T02:46:38

Platform 10.0.19043/x64 v911 06_5e
PID 13396
Feature 007D1A345FBFB0B6
Application C:\Program Files\Mozilla Firefox\firefox.exe
Created 2021-10-05T13:55:54
Description Firefox 93

Callee Type LoadLibrary
C:\Program Files (x86)\0patch\Agent\0patchLoaderX64.dll
0x00007FF8AB8B0000 (8192 bytes)

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FF8AB8504B6 (anonymous)

2 00007FF8AB76C1E8 ntdll.dll
a0c565abf87f000020 MOV AL, [0x2000007ff8ab65c5]
c3 RET


Loaded Modules (31)
-----------------------------------------------------------------------------
00007FF635C20000-00007FF635CB9000 firefox.exe (Mozilla Corporation),
version: 93.0
00007FF8AB650000-00007FF8AB845000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.1288 (WinBuild.160101.0800)
00007FF8A9C10000-00007FF8A9CCE000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FF8A8B90000-00007FF8A8CA6000 hmpalert.dll (SurfRight B.V.),
version: 3.8.15.911
00007FF8A8F20000-00007FF8A91E9000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
000000005BCF0000-000000005C01A000 IPSEng64.dll (Broadcom),
version: 17.2.6.25
00007FF8AA8B0000-00007FF8AA95C000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.1052 (WinBuild.160101.0800)
00007FF8AA6F0000-00007FF8AA78E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.546 (WinBuild.160101.0800)
00007FF8AAB40000-00007FF8AABDB000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF8AB390000-00007FF8AB4BA000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.1288 (WinBuild.160101.0800)
00007FF8AA8A0000-00007FF8AA8A8000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8A9520000-00007FF8A9620000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF882260000-00007FF8822F5000 mozglue.dll (Mozilla Foundation),
version: 93.0
00007FF8A9360000-00007FF8A94B6000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FF8A94C0000-00007FF8A9520000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.19041.1266 (WinBuild.160101.0800)
00007FF891E50000-00007FF891EE1000 MSVCP140.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF891D40000-00007FF891D59000 VCRUNTIME140.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF8A8730000-00007FF8A8914000 dbghelp.dll (Microsoft Corporation),
version: 10.0.19041.867 (WinBuild.160101.0800)
00007FF8A8920000-00007FF8A892A000 VERSION.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF891D30000-00007FF891D3C000 VCRUNTIME140_1.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF8A8210000-00007FF8A821C000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8A8490000-00007FF8A84A2000 MSASN1.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8A89E0000-00007FF8A8AA0000 0patchLoaderX64.dll (Acros Security),
version: 21.05.05.10500
00007FF8A9A60000-00007FF8A9C01000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FF8A9620000-00007FF8A9642000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.1288 (WinBuild.160101.0800)
00007FF8AB5E0000-00007FF8AB60B000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FF8A8D70000-00007FF8A8E7B000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.1110 (WinBuild.160101.0800)
00007FF8A8E80000-00007FF8A8F1D000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8A8700000-00007FF8A872C000 dbgcore.DLL (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8AA450000-00007FF8AA480000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8A86C0000-00007FF8A86F3000 ntmarta.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)

Code Injection
00000289BA308000-00000289BA309000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [6820]
00007FF8AB6ED000-00007FF8AB6EE000 4KB
00007FF8AB6EF000-00007FF8AB6F0000 4KB
00007FF8AB6EC000-00007FF8AB6ED000 4KB
0000000000290000-0000000000291000 4KB
1 C:\Program Files\Mozilla Firefox\firefox.exe [6820]
2 C:\Program Files\Mozilla Firefox\firefox.exe [1740]
3 C:\Windows\explorer.exe [9144]

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [13396]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6820.8.499575262\493356388" -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 5985 -prefMapSize 263345 -jsInit 1868 286204 -parentBuildID 20210927210923 -appdir "
2 C:\Program Files\Mozilla Firefox\firefox.exe [6820]
3 C:\Program Files\Mozilla Firefox\firefox.exe [1740]
4 C:\Windows\explorer.exe [9144]

Dropped Files
1 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\ads-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
2 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
3 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
4 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\analytics-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
5 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\analytics-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
6 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
7 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
8 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
9 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
10 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
11 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\base-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
12 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\block-flash-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
13 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\block-flash-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
14 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
15 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
16 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\content-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
17 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\content-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
18 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flash-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
19 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flash-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
20 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flashallow-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
21 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flashallow-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
22 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
23 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
24 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
25 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
26 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
27 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
28 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
29 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++c79935bc-c1f4-4f95-b79c-4fd128d93dae^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shm
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
30 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
31 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++c79935bc-c1f4-4f95-b79c-4fd128d93dae^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
32 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
33 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
34 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
35 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
36 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
37 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
38 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
39 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
40 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
41 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
42 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-track-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
43 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-track-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
44 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
45 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
46 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
47 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
48 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
49 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
50 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
51 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
52 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-block-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
53 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-harmful-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
54 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-malware-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
55 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-phish-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
56 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-track-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
57 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-trackwhite-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
58 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\safebrowsing-updating\test-unwanted-simple.pset
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
59 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++5a041bb7-fd58-44d5-827c-36397a6ff489^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
60 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++c79935bc-c1f4-4f95-b79c-4fd128d93dae\idb\1671402671ueBglaorcokt0SCeahc.sqlite-shm
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
61 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++c79935bc-c1f4-4f95-b79c-4fd128d93dae\idb\1671402671ueBglaorcokt0SCeahc.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
62 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\addonStartup.json.lz4.tmp
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
63 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\prefs-2.js
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
64 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\0B6F3D3258B287A932059B3A7149891A457F2543
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
65 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++da74ebad-64c8-4e3a-bfb3-749c98aa23b9^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
66 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage-sync-v2.sqlite-shm
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
67 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\8260D83CBB46F4E976DAEB8E565012948E4D2E44
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
68 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\8518EEE4AF92A5FB35C8AF54F894C064C4C6FE8C
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
69 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++5a041bb7-fd58-44d5-827c-36397a6ff489\idb\2877261198xbndd.cbwe.sqlite-shm
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
70 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++dc249b1c-ab85-48da-8ae4-621bbff03112^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
71 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++5a041bb7-fd58-44d5-827c-36397a6ff489\idb\2877261198xbndd.cbwe.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
72 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++a4b3e744-2f29-4444-b12a-cceadffd9465^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
73 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\5745F42989E295FBA4939669EEFA2165124CE0C9
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
74 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\0537758B3DD063127561773B944B97C286813A43
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
75 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\2276B3D779A6E1AD7F3C1F518F87F9E92E5533E9
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
76 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\1CACB150DD3A1C3178857AB5E2F722D2D4A27983
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
77 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\177C6B1C7343FF193B61FFE643163041A436372E
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
78 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\3189FC53F4B86721BFD24FA0B1129E51B2914CA0
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
79 C:\Users\David\AppData\Local\Mozilla\Firefox\Profiles\q6zme4ma.default-release\cache2\entries\382295B0E500997552E32E5666E469F5D3D63014
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]
80 C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\q6zme4ma.default-release\storage\default\moz-extension+++4c9fa907-54c1-4bf7-91a8-5ee137421579^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-wal
Dropped by \Device\HarddiskVolume4\Program Files\Mozilla Firefox\firefox.exe [6820]

Thumbprints
N/A

 

Are you using 0Patch to protect Firefox? But it's no surprise, 0Patch integrates deeply into apps, I wouldn't mess around with this stuff.

 

There isn't any method to manually protect any programs with 0Patch. It injects itself automatically.

For @RonnyT & @markloman ,

Both times this has happened recently I had opened Edge, Brave and Firefox one after the other, if that helps.

Thanks.

 

I believe 907 is BETA and the 2 BSOD was produced on 907 version.

 

In other words, it runs all of the time, even if it doesn't even protect any apps? Seems like overkill to me on home user PC's. It makes more sense to simply use HMPA to protect against exploits and to wait for official patches. And there is a big chance that 0Patch and HMPA will continue to conflict with each other in the future, because they both inject DLL's.

 

We've just released a new build

HitmanPro.Alert 3.8.17 Build 915
https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-662#post-3043631

 

No problems upgrading build 915 (via restart).

Win10 21H1 build 19043.1288

 

Hi all,

I have started a new info and support section on our Zendesk platform, please have a look and let me know what your missing any feedback is appreciated!
https://hitmanpro.zendesk.com/

 

A known issue-topic. Like HitmanPro-Alert and Sandboxie.

 

HitmanPro.Alert 3.8.20 Build 935 Release Candidate

Changelog (compared to build 923)

• Added SendKeyGuard mitigation (part of Lockdown) to block macro-borne keystroke injection.
• Added system-wide protection against defense evasion technique via direct system calls, or SysCall, on 64-bit applications
• Added protection against cloning of LSASS process to Credential Theft Protection
• Added new mitigation that block code injection via remote thread creation; RemoteThreadGuard. Currently in testing.
• Added support for ReFS file system to CryptoGuard
• Added NOTEPAD.EXE to Office template
• Added GPT partition support to WipeGuard
• Added NVMe support to WipeGuard
• Added MITRE ATT&CK references to the CookieGuard, SysCall and RemoteThreadGuard mitigations
• Added alerting to our protection of sticky key abuse (and other accessibility features)
• Added EA Digital Illusions CE AB to game detection
• Improved protection against direct system calls, or SysCall, on 32-bit applications
• Improved handling of certificates on code-signed applications
• Improved CookieGuard alert with information about the application certificate, if any, in the alert
• Improved WipeGuard to protection the Volume Boot Record of all mounted partitions. Previously, only the boot partition was protected.
• Improved WipeGuard to terminate the offending process. Previously, the offending action was only blocked.
• Improved HollowProcess to protect against PEB manipulation in a remote process where PEB is writable
• Improved Lockdown mitigation to isolate modules (DLLs) dropped in attacks via Office documents.
• Improved the per app mitigation settings in the user interface. It now has room for extra checkboxes.
• Change reboot fly-out reminder interval from 1h to 8h
• Changed Dynamic Heap Spray detection; it is now disabled on 64-bit applications
• Changed text for Benefits button to Help center
• Changed Sophos Privacy Notice and Terms of Service
• Fixed displaying icons of UWP applications
• Fixed several user interface inconsistencies
• Fixed false alarm by APCViolation on Avast 'aswhook' DLL
• Fixed false alarm by CookieGuard if application starts from a RAM-drive
• Fixed false alarm by HollowProcess on Visual Studio
• Fixed issue with Lockdown inheritance when parent process is OpenWith.exe
• Fixed issue when a user tries to install HitmanPro.Alert on machine where Sophos Home Premium is already installed
• Fixed tray icon burning CPU cycles after install
• Fixed unexpected removal of Forza Horizon 5 under UWP exclusions
• Several other changes under the hood

Download
https://dl.surfright.nl/hmpalert3b935.exe

Please let us know how this build runs on your machine

 

Thanks @markloman !

 

I just got this after a restart:

Spoiler: HMP.A

Mitigation SysCall
Timestamp 2022-03-16T21:20:50

Platform 10.0.19044/x64 v935 06_5e
PID 656
Feature 007D0A30000001A2
Application C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe
Created 2022-01-02T01:28:12
Description Qt Qtwebengineprocess 5.14.1

SecLvl: 1
Direct Syscall originating from: 000002B391A87F34
*** RemoteAllocator ***
remoteOwnerProcessName: C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe
remoteOwnerModuleName: C:\Program Files\AMD\CNext\CNext\Qt5WebEngineCore.dll
remoteOwnerPID: 10448
remoteOwnerProcess is signed
remoteOwnerModule is not signed

0x000002B391A87F34 c3 RET

----- SNIP HERE -----
AAICAQBwqJGzAgAANH+okbMCAAAAcKiRswIAAAAQAAACAAACAAACAAACAAACAAACAAACAAACAAACAAACAAACAAACAADgAwIGAKADAgYAmOrvFPsCAwAOAgMAAgT/TIvRuFUCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDMCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuD0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuEYBAgIA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bgnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bguAQICAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4KAECAgD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuA0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCQCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDACAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuC8CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCgCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCoCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAoUA
----- END SNIP -----

Loaded Modules (72)
-----------------------------------------------------------------------------
00007FF6B92B0000-00007FF6B9332000 QtWebEngineProcess.exe (The Qt Company Ltd.),
version: 5.14.1.0
00007FF9693A0000-00007FF9694BA000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.935
00007FF940F80000-00007FF941571000 Qt5Core.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92FD10000-00007FF935A44000 Qt5WebEngineCore.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92F880000-00007FF92FC95000 Qt5Quick.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92EB30000-00007FF92F1CC000 Qt5Gui.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92E330000-00007FF92E354000 Qt5WebChannel.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92E790000-00007FF92EB29000 Qt5Qml.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92E210000-00007FF92E324000 Qt5Network.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92E1B0000-00007FF92E204000 Qt5Positioning.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF92E120000-00007FF92E1A3000 Qt5QmlModels.dll (The Qt Company Ltd.),
version: 5.14.1.0
00007FF969270000-00007FF969330000 0patchLoaderX64.dll (Acros Security),
version: 21.05.05.10500
- MS skipped (60) -

Code Injection
000002B391A87000-000002B391A88000 4KB C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [10448]
00007FF96BF2D000-00007FF96BF2E000 4KB
00007FF96BF2F000-00007FF96BF30000 4KB
00007FF96BF2C000-00007FF96BF2D000 4KB

Process Trace
1 C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe [656]
"C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-feat
2 C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [10448]
"C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe" atlogon

Dropped Files
1 C:\Users\David\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG.old~RF7e126.TMP
Dropped by \Device\HarddiskVolume4\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [10448]
2 C:\Users\David\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG
Dropped by \Device\HarddiskVolume4\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [10448]

Thumbprints
810af5e5b485b6aece639827e26999389ee9125ea60cc65e554a0da29cf75939 (pfn)

 

Also this:

Spoiler: HMP.A

Mitigation SysCall
Timestamp 2022-03-16T21:12:36

Platform 10.0.19044/x64 v935 06_5e
PID 4328
Feature 007D0A30000001AE
Application C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe
Created 2022-02-08T16:13:36
Description NoVirusThanks OSArmor Service 1.1

SecLvl: 1
Direct Syscall originating from: 0000000002CAD094
*** UnknownAllocator ***
Allocator is NOT local

0x0000000002CAD094 c3 RET

----- SNIP HERE -----
AAICAQDQygIAAAAAlNDKAgAAAAAA0MoCAAAAAADwBwBMi9G4FQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4FgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4FwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4GAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4GQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4GgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4GwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4HAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4HQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4HgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4HwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4IAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4IQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4IgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4IwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4JAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4JQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4JwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4KAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4KQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4KgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4KwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4LAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4LQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4LgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4LwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4MAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4MQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4MgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4MwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4NAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4NQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4NgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4NwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4OAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4OQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4OgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4OwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4PAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4PQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4PgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4PwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4QAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4QQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4QgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4QwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4RAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4RQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4RgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4RwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4SAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4SQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4SgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4SwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4TAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4TQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4TgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4TwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4UAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4UQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4UgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4UwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4VAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4VQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4VgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4VwIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4WAIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQBMi9G4WQIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCBQDpy4X9/wIDZg8fhAIFAEyL0bhbAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhcAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhdAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bheAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhfAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhgAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhhAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhiAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhjAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhkAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhlAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhmAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhoAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhpAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhqAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhrAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhsAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhtAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhuAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhvAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhwAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhxAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhyAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bhzAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh0AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh1AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh2AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh3AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh4AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh5AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh6AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh7AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh8AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh9AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh+AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0bh/AgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biAAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biBAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biCAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biDAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biEAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biFAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biGAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biHAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biIAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biJAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biKAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biLAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biMAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biNAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biOAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biPAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biQAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biRAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biSAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biTAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biUAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIFAEyL0biVAgMA9gQlCAP+fwE=
----- END SNIP -----

Loaded Modules (36)
-----------------------------------------------------------------------------
0000000000510000-0000000001CEE000 OSArmorDevSvc.exe (NoVirusThanks Company Sr),
version: 1.1.0.0
00007FF9693A0000-00007FF9694BA000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.935
00007FF969270000-00007FF969330000 0patchLoaderX64.dll (Acros Security),
version: 21.05.05.10500
- MS skipped (33) -

Process Trace
1 C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe [4328]
2 C:\Windows\System32\services.exe [992]
3 C:\Windows\System32\wininit.exe [844]
wininit.exe
4 C:\Windows\System32\smss.exe [656]
\SystemRoot\System32\smss.exe 00000084 00000008
5 C:\Windows\System32\smss.exe [552]
\SystemRoot\System32\smss.exe
6 [4]

Dropped Files

Thumbprints
acb4faf0968a4a19bae0e8365b2447d3253535577de4e83e56dd4d999730fb4e (pfn)
abd7397281882d6e461c9949b20805b22fdd5c68593d4bd46004d242fe1086fa (pfn-crt)

 

There's also this one which can't be suppressed, but it doesn't seem to cause any issue and I'm not being alerted to it.

Spoiler: 8GadgetPack

Mitigation RemoteThreadGuard
Timestamp 2022-03-16T21:48:48

Platform 10.0.19044/x64 v935 06_5e
PID 10832
Feature 007D0A30000001A2
Application C:\Program Files\Windows Sidebar\8GadgetPack.exe
Created 2019-11-11T04:13:22
Description 8GadgetPack.exe

========================================================
== Current process information ==
========================================================
ImageBase: 00007FF6F1450000
SHA-256 f07bde3008e3f3ddb4fb23d257b9fec6b5ea5f36c194d6301d27ee60de3c5f01
SHA-1 5425f39e24c4cc14e8eb99277b4fd03eef55b4f8
MD5 b9929732bc68d21f882c738fcd70a66f
Process does not have authenticode
Cannot retrieve subjectHash
========================================================
== Caller information ==
========================================================
Caller: 00007FF6F1454ECE
Caller located on Heap: FALSE
OwnerModule: 8GadgetPack.exe
OwnerModule full path: C:\Program Files\Windows Sidebar\8GadgetPack.exe
SHA-256 f07bde3008e3f3ddb4fb23d257b9fec6b5ea5f36c194d6301d27ee60de3c5f01
SHA-1 5425f39e24c4cc14e8eb99277b4fd03eef55b4f8
MD5 b9929732bc68d21f882c738fcd70a66f
Cannot retrieve subjectHash
========================================================
== Remote code information ==
========================================================
RemoteProcessName: C:\Program Files\Windows Sidebar\sidebar.exe
RemoteProcessPID: 9408
Code start: 00007FFFA251C940
AllocationBase: 00007FFFA2450000
AllocationProtect: 0x80
BaseAddress: 00007FFFA251C000
RegionSize: 0x50000
State: 0x1000
Protect: 0x20
Type: 0x1000000
remoteMemOwnerProcessId: 1373044736
remoteMemOwnerProcessName:
remoteMemOwnerAddressName:
Thread DP: Y

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFFA24A61E8 ntdll.dll RtlCreateUserThread +0x1a8
2 00007FFFA251C913 ntdll.dll DbgUiIssueRemoteBreakin +0x43
3 00007FFFA251C870 ntdll.dll DbgUiDebugActiveProcess +0x30
4 00007FFFA0023460 KernelBase.dll DebugActiveProcess +0x40

5 00007FF6F1454ECE 8GadgetPack.exe
85c0 TEST EAX, EAX
0f84dff8ffff JZ 0x7ff6f14547b5
e845c3ffff CALL 0x7ff6f1451220
be05000000 MOV ESI, 0x5
41bdf7000000 MOV R13D, 0xf7
41bfe0ff0000 MOV R15D, 0xffe0
0f1f4000 NOP DWORD [RAX+0x0]
8b542450 MOV EDX, [RSP+0x50]
488d0de5860300 LEA RCX, [RIP+0x386e5]
41b9a3080000 MOV R9D, 0x8a3
448bf6 MOV R14D, ESI
e8a72e0000 CALL 0x7ff6f1457db0

6 00007FF6F1455484 8GadgetPack.exe
7 00007FF6F1458A72 8GadgetPack.exe
8 00007FFFA2297034 kernel32.dll BaseThreadInitThunk +0x14
9 00007FFFA24A2651 ntdll.dll RtlUserThreadStart +0x21

Loaded Modules (27)
-----------------------------------------------------------------------------
00007FF6F1450000-00007FF6F14E4000 8GadgetPack.exe (),
version:
00007FFFA2450000-00007FFFA2645000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFF9F960000-00007FFF9FA7A000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.935
00007FFFA2280000-00007FFFA233E000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFF9FF20000-00007FFFA01E8000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFFA0480000-00007FFFA0620000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.1503 (WinBuild.160101.0800)
00007FFFA03B0000-00007FFFA03D2000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FFFA1BE0000-00007FFFA1C0B000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FFFA01F0000-00007FFFA02FB000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFF9FDF0000-00007FFF9FE8D000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFF9FB40000-00007FFF9FC40000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFFA0E40000-00007FFFA0EEE000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.1466 (WinBuild.160101.0800)
00007FFFA07B0000-00007FFFA084E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.546 (WinBuild.160101.0800)
00007FFFA2340000-00007FFFA23DC000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FFFA1AB0000-00007FFFA1BD5000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.1466 (WinBuild.160101.0800)
00007FFFA1330000-00007FFFA1A74000 SHELL32.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFFA0EF0000-00007FFFA101A000 ole32.dll (Microsoft Corporation),
version: 10.0.19041.1202 (WinBuild.160101.0800)
00007FFFA1C10000-00007FFFA1F64000 combase.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)
00007FFFA10A0000-00007FFFA10F5000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFF8E5B0000-00007FFF8E84A000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
00007FFFA1F70000-00007FFFA1FA0000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFF9F830000-00007FFF9F8F0000 0patchLoaderX64.dll (Acros Security),
version: 21.05.05.10500
00007FFF9F770000-00007FFF9F77A000 VERSION.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFF9F570000-00007FFF9F754000 dbghelp.dll (Microsoft Corporation),
version: 10.0.19041.867 (WinBuild.160101.0800)
00007FFF9F500000-00007FFF9F52C000 dbgcore.DLL (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFF9F490000-00007FFF9F4C3000 ntmarta.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFFA0700000-00007FFFA07AD000 shcore.dll (Microsoft Corporation),
version: 10.0.19041.1566 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files\Windows Sidebar\8GadgetPack.exe [10832]
"C:\Program Files\Windows Sidebar\8GadgetPack.exe" -debug 9408 -run "C:\Program Files\Windows Sidebar\sidebar.exe"
2 C:\Program Files\Windows Sidebar\sidebar.exe [9408]
3 C:\Windows\explorer.exe [8504]
4 C:\Windows\System32\userinit.exe [4820]
5 C:\Windows\System32\winlogon.exe [956]
winlogon.exe

Dropped Files
1 C:\Users\David\AppData\Local\Microsoft\Windows\INetCache\IE\GE4Q72IY\AAehyQC[1].svg
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
Read by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
2 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE12.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
3 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE13.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
4 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE14.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
5 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE15.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
6 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE16.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
7 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE27.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
8 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE28.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
9 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE29.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
10 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2A.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
11 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2B.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
12 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2C.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
13 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2D.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
14 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2E.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
15 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE2F.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
16 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icnAE3F.tmp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
17 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
Read by \Device\HarddiskVolume4\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe [11760]
18 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
19 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
Read by \Device\HarddiskVolume4\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe [11760]
20 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
21 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
22 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
23 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
24 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
25 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
26 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
27 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
28 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
29 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
30 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
31 C:\Users\David\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
32 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SJY0O8EHLYBTE978TC6J.temp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
33 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\407962ce3d4220f.customDestinations-ms~RFc236.TMP
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
34 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KUM1NHGRE1ON4X7E9U5P.temp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
35 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFc236.TMP
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
36 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KS829UYEQV23CHH40IXT.temp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
37 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d73913f45fe28db3.customDestinations-ms~RFc246.TMP
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
38 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5WKUVV33D8H1GPO6MJAQ.temp
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
39 C:\Users\David\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f74763aa9d323ad.customDestinations-ms~RFc256.TMP
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]
40 C:\Users\David\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg
Dropped by \Device\HarddiskVolume4\Windows\explorer.exe [8504]

Thumbprints
N/A

 

I cannot open SpywareBlaster . It is NOT a protected application.

I get the UAC prompt, then nothing x2 machines.

Edit: Added as an Excluded Application and SpywareBlaster opens.

 

That's possible, this detection is running silent, it will 'log-only'

 

Can you disable On the orange button, Process Protection -> Unexpected system calls
Remove it from exclusions and see if that is the culprit?

 

Hi Ronny,

Tried that but no luck. SB still does not open after UAC prompt.

 

Installed Hitmanpro.alert 3.8.20 build 935. Now when starting Virtual Box I get the virtual box exxor
Failed to open a session for the virtual machine me18avb3.

The virtual machine 'me18avb3' has terminated unexpectedly during startup with exit code -1073740768 (0xc0000420).

Result Code: E_FAIL (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}

From Hitmanpro.alert error:

Code:

The application is using a direct system call to evade inspection by AV/EDR defenses. The use of a direct syscall is highly unusual and an indication that the application is attempting to execute code without raising suspicion.

MITRE ATT&CK

Native API - ID: T1106, Tactic: Execution, Defense Evasion
Mitigation   SysCall
Timestamp    2022-03-16T22:32:44

Platform     10.0.22000/x64 v935 8f_71
PID          9176
Feature      007D0A30000000A6
Application  C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
Created      2022-01-24T22:03:29
Description  VirtualBox Virtual Machine 6.1.32

SecLvl: 1
Direct Syscall originating from: 00007FF6F1BFC7A4
*** ImageBasedCaller ***
OwnerModuleName: C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe
OwnerModule is signed
Current process is signed

0x00007FF6F1BFC7A4  c3                       RET        

----- SNIP HERE -----
AAINAQDAv/H2fwAApMe/8fZ/AAAAwL/x9n8AAADABgBIi1XoTItF4EyLTdhMi1XQTItdyMnDDQTM/yXgXwsAiwXiXwsASYnKDwXDDQTMiwXSXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lvV8LAIsFv18LAEmJyg8Fww0EzIsFr18LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JZpfCwCLBZxfCwBJicoPBcMNBMyLBYxfCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yV3XwsAiwV5XwsASYnKDwXDDQTMiwVpXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lVF8LAIsFVl8LAEmJyg8Fww0EzIsFRl8LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JTFfCwCLBTNfCwBJicoPBcMNBMyLBSNfCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUOXwsAiwUQXwsASYnKDwXDDQTMiwUAXwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l614LAIsF7V4LAEmJyg8Fww0EzIsF3V4LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JcheCwCLBcpeCwBJicoPBcMNBMyLBbpeCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWlXgsAiwWnXgsASYnKDwXDDQTMiwWXXgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lgl4LAIsFhF4LAEmJyg8Fww0EzIsFdF4LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JV9eCwCLBWFeCwBJicoPBcMNBMyLBVFeCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yU8XgsAiwU+XgsASYnKDwXDDQTMiwUuXgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lGV4LAIsFG14LAEmJyg8Fww0EzIsFC14LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JfZdCwCLBfhdCwBJicoPBcMNBMyLBehdCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXTXQsAiwXVXQsASYnKDwXDDQTMiwXFXQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lsF0LAIsFsl0LAEmJyg8Fww0EzIsFol0LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JY1dCwCLBY9dCwBJicoPBcMNBMyLBX9dCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVqXQsAiwVsXQsASYnKDwXDDQTMiwVcXQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lR10LAIsFSV0LAEmJyg8Fww0EzIsFOV0LAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JSRdCwCLBSZdCwBJicoPBcMNBMyLBRZdCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUBXQsAiwUDXQsASYnKDwXDDQTMiwXzXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l3lwLAIsF4FwLAEmJyg8Fww0EzIsF0FwLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JbtcCwCLBb1cCwBJicoPBcMNBMyLBa1cCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWYXAsAiwWaXAsASYnKDwXDDQTMiwWKXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8ldVwLAIsFd1wLAEmJyg8Fww0EzIsFZ1wLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JVJcCwCLBVRcCwBJicoPBcMNBMyLBURcCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUvXAsAiwUxXAsASYnKDwXDDQTMiwUhXAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lDFwLAIsFDlwLAEmJyg8Fww0EzIsF/lsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JelbCwCLBetbCwBJicoPBcMNBMyLBdtbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXGWwsAiwXIWwsASYnKDwXDDQTMiwW4WwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lo1sLAIsFpVsLAEmJyg8Fww0EzIsFlVsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JYBbCwCLBYJbCwBJicoPBcMNBMyLBXJbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVdWwsAiwVfWwsASYnKDwXDDQTMiwVPWwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lOlsLAIsFPFsLAEmJyg8Fww0EzIsFLFsLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JRdbCwCLBRlbCwBJicoPBcMNBMyLBQlbCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yX0WgsAiwX2WgsASYnKDwXDDQTMiwXmWgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l0VoLAIsF01oLAEmJyg8Fww0EzIsFw1oLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/Ja5aCwCLBbBaCwBJicoPBcMNBMyLBaBaCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWLWgsAiwWNWgsASYnKDwXDDQTMiwV9WgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8laFoLAIsFaloLAEmJyg8Fww0EzIsFDQJaCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVFWgsAiwVHWgsASYnKDwXDDQTMiwU3WgsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lIloLAIsFJFoLAEmJyg8Fww0EzIsFFFoLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/Jf9ZCwCLBQFaCwBJicoPBcMNBMyLBfFZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXcWQsAiwXeWQsASYnKDwXDDQTMiwXOWQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8luVkLAIsFu1kLAEmJyg8Fww0EzIsFq1kLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JZZZCwCLBZhZCwBJicoPBcMNBMyLBYhZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yVzWQsAiwV1WQsASYnKDwXDDQTMiwVlWQsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lUFkLAIsFUlkLAEmJyg8Fww0EzIsFQlkLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JS1ZCwCLBS9ZCwBJicoPBcMNBMyLBR9ZCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yUKWQsAiwUMWQsASYnKDwXDDQTMiwX8WAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8l51gLAIsF6VgLAEmJyg8Fww0EzIsF2VgLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JcRYCwCLBcZYCwBJicoPBcMNBMyLBbZYCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yWhWAsAiwWjWAsASYnKDwXDDQTMiwWTWAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lflgLAIsFgFgLAEmJyg8Fww0EzIsFcFgLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JVtYCwCLBV1YCwBJicoPBcMNBMyLBU1YCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yU4WAsAiwU6WAsASYnKDwXDDQTMiwUqWAsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lFVgLAIsFF1gLAEmJyg8Fww0EzIsFB1gLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JfJXCwCLBfRXCwBJicoPBcMNBMyLBeRXCwD2BCUIA/5/AUmJynUDDwXDzS7DDQTM/yXPVwsAiwXRVwsASYnKDwXDDQTMiwXBVwsA9gQlCAP+fwFJicp1Aw8Fw80uww0EzP8lrFcLAIsFrlcLAEmJyg8Fww0EzIsFnlcLAPYEJQgD/n8BSYnKdQMPBcPNLsMNBMz/JYlXCwD/JYtXCwD/JY1XCwD/JY9XCwD/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwDMw/8lkVcLAMzD/yWRVwsAzMP/JZFXCwD/JZNXCwD/JZVXCwD/JZdXCwD/JZlXCwDMw/8lmVcLAMzD/yWZVwsA/yWbVwsA/yWdVwsA/yWfVwsA/yWhVwsA/yWjVwsA/yWlVwsA/yWnVwsA/yWpVwsAzMP/JalXCwD/JatXCwD/Ja1XCwDMw/8lrVcLAP8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMP/Ja9XCwDMw/8lr1cLAMzD/yWvVwsAzMMNDcxIiVwkCEiJdCQQSIl8JBhJi9lFM8lJi/BMi9pIi/lMi9FIhdIPhGUCDQIAZg8fRA0CAEEPthKE0g+EUwINAgAPiTsCDQIAD7bCJOA8wHUHuQINAwDrQg+2wiTwPOB1B7kDDQMA6zIPtsIk+DzwdQe5BA0DAOsiD7bCJPw8+HUHuQUNAwDrEg+2wiT+PPwPhUoCDQIAuQYNAwBEi8FNO8MPhzkCDQIAi8GD6AJ0TP/IdDn/yHQm/8h0E//IdUtBD7ZCBSTAPIAPhRMCDQIAQQ+2QgQkwDyAD4UEAg0CAEEPtkIDJMA8gA+F9QENAgBBD7ZCAiTAPIAPheYBDQIAQQ+2QgEkwDyAD4XXAQ0CAIPpAg+ETQENAgD/yQ+E7A0DAP/JD4SrDQMA/8l0Xv/JD4VOAQ0CAEEPtkoBD7bCg+ABg+E/weAGC8hBD7ZCAoPgP8HhBgvIQQ+2QgOD4D/B4QYLyEEPtkIEg+A/weEGC8hBD7ZCBYPgP8HhBgvBBQ0DAPw9DQP/e+n2DQMAQQ+2SgEPtsKD4AOD4T/B4AYLyEEPtkICg+A/weEGC8hBD7ZCA4PgP8HhBgvIQQ+2QgSD4D/B4QYLwQUNAgDg/z0NAv/fA+mtDQMAQQ+2SgEPtsKD4AeD4T/B4AYLyEEPtkICg+A/weEGC8hBD7ZCA4PgP8HhBgvBBQ0CAA0C/z0NAv8eAOt0QQ+2SgEPtsKD4A+D4T/B4AYLyEEPtkICg+A/weEGC8iB
----- END SNIP -----

Loaded Modules (5)
-----------------------------------------------------------------------------
00007FF6F1BF0000-00007FF6F1D08000 VirtualBoxVM.exe (Oracle Corporation),
                                  version: 6.1.32.149290
00007FFB73730000-00007FFB7384A000 hmpalert.dll (SurfRight B.V.),
                                  version: 3.8.20.935
- MS skipped (3) -

Process Trace
1  C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe [9176]
   "C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe" --comment me18avb3 --startvm 97ce4e7d-de04-4b13-aa7b-3b4a2499736c --no-startvm-errormsgbox "--sup-hardening-log=\\as7004t\backups\VirtualBox VMs\VB1\me18avb3\Logs\VBoxHardening.log"
2  C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe [9328]
   "C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
3  C:\Windows\System32\svchost.exe [1456]
   C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
4  C:\Windows\System32\services.exe [1320]
5  C:\Windows\System32\wininit.exe [1124]
   wininit.exe

Services
1456  BrokerInfrastructure
1456  DcomLaunch
1456  PlugPlay
1456  Power
1456  SystemEventsBroker

Dropped Files
1  C:\Users\jwyko\.VirtualBox\VBoxSVC.log
     Dropped by \Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VBoxSVC.exe [9328]

Thumbprints
4c99bda7c796bb8f16e53e3f9d687e8a2a08fbc499968bb327327ac2f3b45de9 (pfn)
8116a0e14ec43087fcc39eb4667126e7f6ab3bc33b6afc676cbfab36bedebaf5 (pfn-crt)
2dd78676af800256d9824b89a9bd1e3135765a9a313deef3041fe8854a5487f3 (pfn-ownmod)


Any thoughts?

 

Can you disable all options on process protection see if that makes a difference?

 

Please try the same, disable all options on process protection of the Orange button, see if it works, and if so enable the options on-by-one so we know which one causes the issue.

If that doesn't work you'll probably need to add Virtual box to exclusions for now.

 

Still no luck.

 

Ok final try can you disable all options under orange?

 

Try the Suppress Alert option on the event log please