I have been receiving another alert, this time while using Excel. Every time it is triggered, HMP.A closes Excel on me and I lose some of my work. It has happened twice, so far. Code: Mitigation SendKeysGuard Timestamp 2023-05-22T20:39:02 Platform 10.0.19045/x64 v957 06_2a% PID 27816 WoW x86 Feature 007DCA361FBF01B6 Application C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Created 2023-05-11T20:24:57 Description Microsoft Excel 16 Events: | #| VK | SC | FLAG | |--|----|----|--------| | 0|0014|003A|00000000| | 1|0014|003A|00000002| Ascii: [14] Loaded Modules (199) ----------------------------------------------------------------------------- 772B0000-77454000 ntdll.dll (Microsoft Corporation), version: 10.0.19041.2965 (WinBuild.160101.0800) 75270000-75360000 KERNEL32.dll (Microsoft Corporation), version: 10.0.19041.2913 (WinBuild.160101.0800) 74380000-744A3000 hmpalert.dll (Sophos B.V.), version: 3.8.24.957 75AA0000-75CDA000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.19041.2965 (WinBuild.160101.0800) 75010000-750CA000 guard32.dll (COMODO), version: 12, 2, 2, 8012 742E0000-7437F000 0patchLoader.dll (Acros Security), version: 22.11.11.10550 73210000-7321D000 UMPDC.dll (), version: 622A0000-62365000 nvldumd.dll (NVIDIA Corporation), version: 23.21.13.9135 5EE40000-60611000 nvwgf2um.dll (NVIDIA Corporation), version: 23.21.13.9135 72F80000-73014000 TextShaping.dll (), version: - MS skipped (189) - Process Trace 1 C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "D:\Users\XXX\Desktop\My Diet.xlsx" 2 C:\Windows\explorer.exe [7680] Dropped Files 1 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx.LNK Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 2 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx (2).LNK Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 3 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T947OTPJOM7NOPJFMOZF.temp Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 4 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f0e.TMP Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 5 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B39NRKD6S83XX2AB8SU.temp Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 6 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f6c.TMP Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 7 C:\Users\XXX\AppData\Roaming\Microsoft\Excel\~$My Diet (version 1).xlsb Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 8 D:\Users\XXX\Desktop\My Diet(AutoRecovered).xlsx Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 9 C:\Users\XXX\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\Excel\ARc0YzBjZGY0YjI4ZjhlYTQ2X0xpdmVJZAM.S Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 10 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 11 D:\Users\XXX\Desktop\~$My Diet(AutoRecovered).xlsx Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 12 D:\Users\XXX\Desktop\17C2F830 Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] Read by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] \Device\HarddiskVolume2\Windows\explorer.exe [7680] 13 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet(AutoRecovered).xlsx.LNK Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 14 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QI00596HELEQ6W8DUJPF.temp Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] 15 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f2f224.TMP Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816] Thumbprints a7a48dac3aab8cbec451808d9f4bf0402afe85c38186d96ec1e9c99b0aa26e5c (pfn)
It seems it failed to validate the dll "Certhash could not be obtained for owner-module" this happens sometimes during upgrades of the browser, for some reason Windows cannot determine the code-sign state of that file. And we hard fail on that. After a reboot it seems Windows resolves from this failure and all should be fine (whitelisting also works).
That's an interesting one, any specific action you can trigger this on? It seems to be some CAPSLOCK signal send via SendKeys command that got caught. Are you using macro(s) in this one? Does it happen on different Excel files/sheets, and do you have any add-ons installed?
Hi Ronny, I just opened a vanilla Excel spreadsheet and started typing in data. There should not be any macros or add-ons involved. The alerts popped up a couple of times, seemingly randomly while I was working on it. I will continue populating it and let you know if any further alerts are triggered. Thanks for the feedback.
Browsers (latest and older versions of Firefox, Chrome) cannot run in Sandboxie (Compatibility is enabled) if the latest stable or beta version of HitmanPro.Alert is installed. Older versions of Sandboixe could not either.
My guess would be something along these APIs https://learn.microsoft.com/en-us/dotnet/api/system.windows.forms.sendkeys?view=windowsdesktop-7.0
It's been many many years since I used Sandboxie (used to love it though) but were I trying to troubleshoot it I'd open the resource manager I think it was called before running said app to see what was blocked (eg had an x) and move forward from there in my tests. Just started a Win 10 21H1 VM and installed the lastest Chrome (114.0.5735.134) & HMP.A (3.8.24 build 957) & SandboxiePlus by Xantos (1.9.6) and sadly I'm not seeing any issues off the bat when trying to launch chrome inside sandboxie. Perhaps more information is needed to re-create your issue?
On Windows 10 there is a compatibility issue with x64 applications, 32bit version of the browsers should work fine.
The Windows OS returns a fail code for the certificate check of the msedge.dll file, hence we have to assume it's not correctly signed. For some reason a quirk in Windows that resolves after a reboot. Hashes for owner-module: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.67\msedge.dll Certhash could not be obtained for owner-module ErrorCode: 0000014c
I use windows 11. The latest version. 22H2 build: 22621.2506 I always use the latest windows 11. But I DM'd you about that.
HitmanPro.Alert 3.8.25 Build 965 (RC1) Changelog (compared to 957) Added Risk Reduction New Process Protection panel Added RDPGuard Icon under Risk Reduction button Improved CiGuard Improved PrivGuard Improved CryptoGuard5 Improved HeapHeapProtect Improved APC Game detection Improved HHP Cobal Strike detection Improved DrWeb Compatibility (CallerCheck/SysCall) Improved SendKeyGuard Now specific key combinations can be allowed Improved Lockdown Now allows WMIC GET 'only' commands without interference Fixed Driver BSOD under specific circumstances. Fixed Lockdown Bypass when loading files over UNC paths Removed ReflectiveDLL As it has become obsolete in it's current implementation Several other changes under the hood Beware this build is signed with a new code-signing certificate by Sophos LTD, this might take some 3rd party vendors to have "trust" issues as it's a rather fresh certificate. Download https://dl.surfright.nl/hmpalert3b965.exe Please let us know how this version runs on your machine We're planning to promote this build to Stable if results are good in the coming week(s).
Ok. This mitigation occurs when the desktop appears after finishing W10 startup. Not again this mitigation after Suppress.
I also just got this on first restart after installing the RC: Spoiler: HMP.A Build 965 RC1 Mitigation HeapHeapProtect Timestamp 2023-11-10T19:06:02 Platform 10.0.19045/x64 v965 06_5e PID 5400 Feature 00FD2E70000001AE Application C:\Windows\SysWOW64\XtuService.exe Created 2021-02-24T00:19:30 Description XtuService 7.3 Callee Type ProtectVirtualMemory 0x0000023DAF252000 (189580 bytes) Shellcode (HHP) (0x0002E48C bytes : start at 0000023DAF252000) Target address info: Common.dll Owner of CALLER: (anonymous; allocated by 00007FFD705EC0AA, clr.dll) OwnerModule Name clr.dll Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll Thumbprint 11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 SHA-256 157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94 SHA-1 dbd9928c7e19ec7842015482b56094602c4f5cff MD5 b53e50ccbb014395c303f0cda37ce44d Current process is signed OwnerModule is signed 00007FFD10E81E86 ffd0 CALL RAX 00007FFD10E81E88 488b5580 MOV RDX, [RBP-0x80] 00007FFD10E81E8C c6420c01 MOV BYTE [RDX+0xc], 0x1 00007FFD10E81E90 833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0 00007FFD10E81E97 7406 JZ 0x7ffd10e81e9f 00007FFD10E81E99 ff1589d3f35f CALL QWORD [RIP+0x5ff3d389] 00007FFD10E81E9F 894598 MOV [RBP-0x68], EAX 00007FFD10E81EA2 837d9800 CMP DWORD [RBP-0x68], 0x0 00007FFD10E81EA6 0f95c0 SETNZ AL 00007FFD10E81EA9 0fb6c0 MOVZX EAX, AL 00007FFD10E81EAC 89459c MOV [RBP-0x64], EAX 00007FFD10E81EAF 90 NOP 00007FFD10E81EB0 90 NOP 00007FFD10E81EB1 90 NOP 00007FFD10E81EB2 90 NOP 00007FFD10E81EB3 90 NOP ----- SNIP HERE ----- AAApAQAQ6BD9fwAAhh7oEP1/AAAAEOgQ/X8AAACAAQAASGPJSANN4ItV2Ehj0kgDykiJTcBpjXz///9oFjNxgfF6H5bfiY1s////6Z75//9Ii41I/v//ug8AAABIO1EIcgXoeVKrX0iNTJEQiwlIi5VA/v//uA8AAABIO0IIcgXoW1KrX0iNVIIQMwqJjQj///9Ii41I/v//uA8AAABIO0EIcgXoN1KrX0iNTIEQi5UI////iRFpjXz////M74KLgfGE54sYiY1s////6R35//+LTbjBwRuJTbxpjXz///+Rk0o5gfGub2R5iY1s////6fn4//9Ii41I/v//uggAAABIO1EIcgXo1FGrX0iNTJEQiwlIi5VA/v//uAgAAABIO0IIcgXotlGrX0iNVIIQAwqJjfj+//9Ii41I/v//uAgAAABIO0EIcgXoklGrX0iNTIEQi5X4/v//iRFpjXz///8jkfe0gfGgShZLiY1s////6Xj4//9Ii41I/v//ugIAAABIO1EIcgXoU1GrX0iNTJEQiwlIi5VA/v//uAIAAABIO0IIcgXoNVGrX0iNVIIQAwqJjeT+//9Ii41I/v//uAIAAABIO0EIcgXoEVGrX0iNTIEQi5Xk/v//iRFIi41I/v//ugMAAABIO1EIcgXo7VCrX0iNTJEQiwlIi5VA/v//uAMAAABIO0IIcgXoz1CrX0iNVIIQMwqJjeD+//9Ii41I/v//uAMAAABIO0EIcgXoq1CrX0iNTIEQi5Xg/v//iRFIi41I/v//ugQAAABIO1EIcgXoh1CrX0iNTJEQiwlIi5VA/v//uAQAAABIO0IIcgXoaVCrX0iNVIIQD68KiY3c/v//SIuNSP7//7gEAAAASDtBCHIF6ERQq19IjUyBEIuV3P7//4kRaY18////5lfqIYHxnW9oPImNbP///+kq9///M8mJTYBpjXz///9ElFyQgfFbBKkYiY1s////6Qr3//9IuTJtkW79fwAAuhAAAADoqO17X0iJhRj+//9Ii40Y/v//SImNSP7//2mNfP///7d3kQmB8TaIceiJjWz////pxvb//8dFvDpNIUHHRbiqiZhGaY18////jRwkfIHxUF4DIYmNbP///+md9v//i02UiU2waY18////LvMXvYHxWI9xLYmNbP///+l89v//M8mJTYTHhWz////g3Wsa6Wj2///HRbBsTz6kaY18////Xa6NXIHxvIZoZYmNbP///+lG9v//i02YO02ccxbHhRD////nhPgFx4UM////54T4BesUx4UQ////GmYnWseFDP///xpmJ1qLjRD///+JjWz////pA/b//0iLjVD+//8z0jkJ6PVu1l8Pt8iJjaD+//+DvaD+//88D5TBD7bJiY3U/v//6wgzwImF1P7//4uN1P7//w+2yYlN9EiLjVj+///op/v6XUiJhcj+//9Ii43I/v//6LSjA15IiYXA/v//SIuNwP7//0iJTehIi03ouDwAAABIY8CLDAFIY8lIA03oSIlN4MeFbP/////TrS3pZ/X//0iLjUj+//+4CwAAAEg7QQhyBehCTqtfSI1MgRCLCUiLhUD+//+6CwAAAEg7UAhyBegkTqtfSI1EkBADCImNrP7//0iLjUj+//+6CwAAAEg7UQhyBegATqtfSI1MkRCLhaz+//+JAUiLjUj+//+4DAAAAEg7QQhyBejcTatfSI1MgRCLCUiLhUD+//+6DAAAAEg7UAhyBei+TatfSI1EkBAzCImNqP7//0iLjUj+//+6DAAAAEg7UQhyBeiaTatfSI1MkRCLhaj+//+JAWmNfP///4TL5SKB8Tabew+JjWz////pgPT//0iLjUj+//8zwEg7QQhyBeheTatfSI1MgRCLCUiLhUD+//8z0kg7UAhyBehDTatfSI1EkBAzCImNaP7//0iLjUj+//8z0kg7UQhyBegiTatfSI1MkRCLhWj+//+JAWmNfP///3wI/fqB8dA50lSJjWz////pCPT//4tNvMHBFYlNsGmNfP///6YNR2+B8VfduTOJjWz////p5PP//0iLTaBIiY3w/v//uQQAAABIY8lIA02gSIlNoItNvEiLhfD+//8zCANNuItFtA+vRbADyIlNlItNuIlNvItNtIlNuMeFbP///7xQ4iDpk/P//0iLTehIiY2A/v//SIuNgP7//0iJjXj+//+DffQAdSVIi414/v//SImNcP7//0iLTcC4BAAAAEhjwIsMAYmNbP7//+sjSIuNeP7//0iJjXD+//9Ii03AuAwAAABIY8CLDAGJjWz+//+LjWz+//9IY8lIA41w/v//SIlN0MeFbP///4jzlj7pCfP//zPJiU2QaY18////dhoHBIHxqdSXHImNbP///+np8v//x0WIQAAAAGmNfP///6RdK1KB8UxGB7OJjWz////px/L//0iLjUD+//+LRZBIO0EIcgXopEurX0iNTIEQi0W4iQFpjXz////H1q97gfH/L/eEiY1s////6Y3y//+QSI1l+F9dw0iLjUj+//+4CQAAAEg7QQhyBehgS6tfSI1MgRCLCUiLhUD+//+6CQAAAEg7UAhyBehCS6tfSI1EkBAzCImNLP///0iLjUj+//+6CQAAAEg7UQhyBegeS6tfSI1MkRCLhSz///+JAUiLjUj+//+4CgAAAEg7QQhyBej6SqtfSI1MgRCLCUiLhUD+//+6CgAAAEg7UAhyBejcSqtfSI1EkBAPrwiJjSj///9Ii41I/v//ugoAAABIO1EIcgXot0qrX0iNTJEQi4Uo////iQFpjXz///+j+SfVgfGOG3YViY1s////6Z3x//+LTYD/wYlNgGmNfP///zg7+ieB8bP/NDKJjWz////pevH//8dFtKSlamRpjXz///9xTIjVgfEKkipkiY1s////6Vjx//9Ii03guAYAAABIY8APtwwBiU3caY18////uPoIaYHxAm1YAYmNbP///+kq8f//i02wiU24aY18////JlNhyYHxPKo9NYmNbP///+kJ8f//g32IQHUWx4VE////772DMseFQP///++9gzLrFMeFRP///7Y6MXPHhUD///+2OjFzaY18////efme9TONRP///4mNbP///+m+8P//SIuNUP7//zkJ6HJq1l+Jhdj+//+Dvdj+//8AD47I+v//aYV8////c5Dk+DVx87njiYVs////6YPw//+LRbTBwB2JRbiLRbDBwBmJRbRphXz////spwBRNYosRLeJhWz////pV/D//4N9qAB0FseFjP7//5zL+h7HhYj+//+cy/oe6xTHhYz+//8aZidax4WI/v//GmYnWouFjP7//4mFbP///+kW8P//gX2ofMkhHHUWx4Uk////fRmH6seFIP///30Zh+rrFMeFJP///yGQ4KHHhSD///8hkOChaYV8////RivyEjOFJP///4mFbP///+nI7///M8CJRaxphXz///8uYFjpNRRrTpeJhWz////pqe///0iLhUj+//+LVYSD4g+L0otICEg70XIF6H9Iq19IjUSQEIsASItV0DECSItF0EiJhTj///+4BAAAAEhjwEgDRdBIiUXQSIuFSP7//4tVhIPiD4vSi0gISDvRcgXoO0irX0iNRJAQiwBIi5U4////MwIFGSi7PYmFNP///0iLhUj+//+LVYSD4g+L0otICEg70XIF6ARIq19IjUSQEIuVNP///4kQx4Vs////NoJtPen27v//uCAAAABIY8BIA0XASIlFwItFrP/AiUWsx4Vs////bMW4VunP7v//SIuFSP7//7oNAAAASDtQCHIF6KpHq19IjUSQEIsASIuVQP7//7kNAAAASDtKCHIF6IxHq19IjVSKEA+vAomFBP///0iLhUj+//+5DQAAAEg7SAhyBehnR6tfSI1EiBCLlQT///+JEEiLhUj+//+6DgAAAEg7UAhyBehDR6tfSI1EkBCLAEiLlUD+//+5DgAAAEg7SghyBeglR6tfSI1UihADAomFAP///0iLhUj+//+5DgAAAEg7SAhyBegBR6tfSI1EiBCLlQD///+JEGmFfP///2VXUGg1qvR5PomFbP///+no7f//SItFwEiJhZj+//+4BAAAAEhjwEgDRcBIiUXASItFwEiJhZD+//+4BAAAAEhjwEgDRcBIiUXASIuFmP7//4sASIuVkP7//w+vAolFqMeFbP///2N1zXjpje3//5BIjWX4X13DAAAAAAAAAM8FAACOBgAAZA0AAP8DAADtCwAA4BIAANoMAABQBwAApRAAAKwBAAAWEAAAQw8AAIUSAADMAAAA8w4AAGMJAADxCQAA4A0AAGoKAABDCQAA2gEAAGUMAAAGCwAAhA0AAKYEAADQCQAA0QMAAC0FAACvDwAA9QcAAGMAAABbAgAAiQwAAOwAAAB0BwAANQMAAOkEAACeEQAA6g8AANAOAADPBgAApwkAACcKAACeAgAAFQ8AAHcRAABuBQAAkQUAAFcQAADoDQAAtgMAAIEEAACRAQAApg0AAO0CAAAFCgAAxBAAAGQPAAAPAQAABAYAABkJBAAJAUEAAnABUEAAAAAAAAAAAAAAAPgL8BD9fwAAVUFXQVZBVUFUV1ZTSIHsuAAAAEiNrCTwAAAATImVeP///zPbSIldoEiJTRCJVRhEiUUgTIlNKEiNjUD///9Ji9LoiidpX0iJRYBIi8xIiY1g////SIvNSImNcP///0iLTYBIjYVA////SIlBEEiLjXj////o1/t3X0UzyUSJTcSQTItNEEyJTbiQkESLTRhNY8lMiU2wkJBEi00gTWPJTIlNqJCQTItNKEyJTaCQkJBMi414////uSAAAABIY8lNiwwJTYsJTIlNkJBMi02gSItNuEiLVbBMi0WoRTPbSIuFeP///0iJhVD///9IjQUVAAAASImFaP///0iLRYDGQAwASItFkP/QSItVgMZCDAGDPX229F8AdAb/FYnT81+JRZiDfZgAD5XAD7bAiUWckJCQkJCQkJCQi0WciUWM6wCLRYwPtsBIi1WAxkIMAUiLVYBIi41I////SIlKEEiNZchbXl9BXEFdQV5BX13DAAAZEwoAEwEXAAwwC2AKcAnAB9AF4APwAVBAAAAAAAAAAAAAAAAAAAAAyAzwEP1/AABVV0iB7DgBAABIjawkQAEAAEiNveD+//+5RgAAADPA86uDPegm7/8AdAXoMRarX8dF9MAAAADHRdDnUkZCi0XQNQGN3QiJRcyLRcyJRdSLRcy5JwAAADPS9/GJlUj///+DvUj///8mdx6LlUj///+L0kiNDeAMAACLDJFIjQWf////SAPI/+GQ6cMMAABIi5U4////i03cSDtKCHIF6B5Dq19IjVSKEEiJlSD///+LVdhIi40g////MRFpVdRY8UKNgfIH4Ic3iVXQ6W7///+LVfTB4gKL0ki5yk+Rbv1/AP4pAv+5RikDADPA86uDPegm7/8AdAXoMRarX8dF9MAp ----- END SNIP ----- Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFD86CDC976 KernelBase.dll VirtualProtect +0x36 2 00007FFD10E81E88 (anonymous; clr.dll) 488b5580 MOV RDX, [RBP-0x80] c6420c01 MOV BYTE [RDX+0xc], 0x1 833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0 7406 JZ 0x7ffd10e81e9f ff1589d3f35f CALL QWORD [RIP+0x5ff3d389] 894598 MOV [RBP-0x68], EAX 837d9800 CMP DWORD [RBP-0x68], 0x0 0f95c0 SETNZ AL 0fb6c0 MOVZX EAX, AL 89459c MOV [RBP-0x64], EAX 90 NOP 90 NOP 90 NOP 90 NOP 90 NOP 90 NOP 3 00007FFD10E978A0 (anonymous; clr.dll) 4 00007FFD10E96CCB (anonymous; clr.dll) 5 00007FFD706412C3 clr.dll 6 00007FFD7050961B clr.dll 7 00007FFD705095AF clr.dll 8 00007FFD70509445 clr.dll 9 00007FFD7050931C clr.dll 10 00007FFD7050BA21 clr.dll Loaded Modules (5 ----------------------------------------------------------------------------- 0000023D96010000-0000023D96026000 XtuService.exe (Intel(R) Corporation), version: 7.3.0.33 00007FFD89590000-00007FFD89788000 ntdll.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD877D0000-00007FFD8788D000 KERNEL32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD710E0000-00007FFD71145000 MSCOREE.DLL (Microsoft Corporation), version: 10.0.19041.1 (WinBuild.160101.0800) 00007FFD86C70000-00007FFD86F66000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD869D0000-00007FFD86B17000 hmpalert.dll (Sophos B.V.), version: 3.8.25.965 00007FFD87890000-00007FFD8793E000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD879A0000-00007FFD87A3E000 msvcrt.dll (Microsoft Corporation), version: 7.0.19041.3636 (WinBuild.160101.0800) 00007FFD88490000-00007FFD8852C000 sechost.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD87AB0000-00007FFD87BD6000 RPCRT4.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD70EA0000-00007FFD70F3B000 mscoreei.dll (Microsoft Corporation), version: 4.8.9093.0 built by: NET481REL1LAST_C 00007FFD87940000-00007FFD87995000 SHLWAPI.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD84A00000-00007FFD84A12000 kernel.appcore.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD82300000-00007FFD8230A000 VERSION.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD704B0000-00007FFD70E54000 clr.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFD882C0000-00007FFD8845E000 USER32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD875C0000-00007FFD875E2000 win32u.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD893E0000-00007FFD8940C000 GDI32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD870A0000-00007FFD871BA000 gdi32full.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD87310000-00007FFD873AD000 msvcp_win.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86FA0000-00007FFD870A0000 ucrtbase.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD70E80000-00007FFD70E8C000 VCRUNTIME140_1_CLR0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFD700D0000-00007FFD700EB000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFD70000000-00007FFD700CD000 ucrtbase_clr0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFD88460000-00007FFD88490000 IMM32.DLL (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD6E910000-00007FFD6FF1F000 mscorlib.ni.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFD89420000-00007FFD8954B000 ole32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD87D60000-00007FFD880B4000 combase.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD871C0000-00007FFD87242000 bcryptPrimitives.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD863E0000-00007FFD863F8000 CRYPTSP.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD85B20000-00007FFD85B54000 rsaenh.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86F70000-00007FFD86F97000 bcrypt.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86400000-00007FFD8640C000 CRYPTBASE.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD6E5A0000-00007FFD6E6CF000 clrjit.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFD86490000-00007FFD864BD000 wldp.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7EA30000-00007FFD7EA4F000 amsi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86B20000-00007FFD86B4E000 USERENV.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86BA0000-00007FFD86BC5000 profapi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7E980000-00007FFD7EA2E000 symamsi.dll (Broadcom), version: 15.7.12.41 00007FFD872A0000-00007FFD87307000 WINTRUST.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD87460000-00007FFD875BD000 CRYPT32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD88530000-00007FFD88C74000 SHELL32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD88C90000-00007FFD88D5D000 OLEAUT32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD86620000-00007FFD86632000 MSASN1.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD877B0000-00007FFD877CD000 imagehlp.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD853B0000-00007FFD853D3000 gpapi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD6D680000-00007FFD6E29C000 System.ni.dll (Microsoft Corporation), version: 4.8.9172.0 built by: NET481REL1LAST_C 00007FFD6D170000-00007FFD6D1B6000 System.ServiceProcess.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFD69B10000-00007FFD69B3D000 System.Configuration.Install.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFD698E0000-00007FFD69A46000 System.Management.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFD698B0000-00007FFD698DF000 wminet_utils.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFD87700000-00007FFD877A9000 clbcatq.dll (Microsoft Corporation), version: 2001.12.10941.16384 (WinBuild.160101.080 00007FFD7EAF0000-00007FFD7EB18000 wmiutils.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7F450000-00007FFD7F4E0000 wbemcomn.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7F520000-00007FFD7F531000 wbemprox.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD87A40000-00007FFD87AAB000 WS2_32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7EB50000-00007FFD7EB64000 wbemsvc.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFD7ED60000-00007FFD7EE6B000 fastprox.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) Process Trace 1 C:\Windows\SysWOW64\XtuService.exe [5400] 2 C:\Windows\System32\services.exe [468] 3 C:\Windows\System32\wininit.exe [936] wininit.exe 4 C:\Windows\System32\smss.exe [576] \SystemRoot\System32\smss.exe 000000c8 00000084 5 C:\Windows\System32\smss.exe [428] \SystemRoot\System32\smss.exe 6 [4] Dropped Files 1 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\diStRptr\diStRptr.dat.log Dropped by [4] Thumbprints 4c28fef8ba7bdf053228228d788b6b56d3810d7c444179937a330ca07200a7ad (code) 11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 (hhp-ownermodule) 47eda548bb173b4a61d8e830851e0805266d272daa77eb53f4a572d0e776c528 (hhp-fhsh-ownmod)
Intel(R) Extreme Tuning Utility, same as Deugniet. Please use Action -> Suppress alert for now, looks like a FP