HitmanPro.Alert BETA

I have been receiving another alert, this time while using Excel. Every time it is triggered, HMP.A closes Excel on me and I lose some of my work. It has happened twice, so far.

Code:

Mitigation   SendKeysGuard
Timestamp    2023-05-22T20:39:02

Platform     10.0.19045/x64 v957 06_2a%
PID          27816
WoW          x86
Feature      007DCA361FBF01B6
Application  C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Created      2023-05-11T20:24:57
Description  Microsoft Excel 16

Events:

  | #| VK | SC |  FLAG  |
  |--|----|----|--------|
  | 0|0014|003A|00000000|
  | 1|0014|003A|00000002|

Ascii:

  [14]


Loaded Modules (199)
-----------------------------------------------------------------------------
772B0000-77454000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.2965 (WinBuild.160101.0800)
75270000-75360000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.2913 (WinBuild.160101.0800)
74380000-744A3000 hmpalert.dll (Sophos B.V.),
                  version: 3.8.24.957
75AA0000-75CDA000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.2965 (WinBuild.160101.0800)
75010000-750CA000 guard32.dll (COMODO),
                  version: 12, 2, 2, 8012
742E0000-7437F000 0patchLoader.dll (Acros Security),
                  version: 22.11.11.10550
73210000-7321D000 UMPDC.dll (),
                  version:
622A0000-62365000 nvldumd.dll (NVIDIA Corporation),
                  version: 23.21.13.9135
5EE40000-60611000 nvwgf2um.dll (NVIDIA Corporation),
                  version: 23.21.13.9135
72F80000-73014000 TextShaping.dll (),
                  version:
- MS skipped (189) -

Process Trace
1  C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
   "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "D:\Users\XXX\Desktop\My Diet.xlsx"
2  C:\Windows\explorer.exe [7680]

Dropped Files
1  C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
2  C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx (2).LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
3  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T947OTPJOM7NOPJFMOZF.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
4  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f0e.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
5  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B39NRKD6S83XX2AB8SU.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
6  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f6c.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
7  C:\Users\XXX\AppData\Roaming\Microsoft\Excel\~$My Diet (version 1).xlsb
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
8  D:\Users\XXX\Desktop\My Diet(AutoRecovered).xlsx
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
9  C:\Users\XXX\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\Excel\ARc0YzBjZGY0YjI4ZjhlYTQ2X0xpdmVJZAM.S
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
10 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
11 D:\Users\XXX\Desktop\~$My Diet(AutoRecovered).xlsx
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
12 D:\Users\XXX\Desktop\17C2F830
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
        Read by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
                \Device\HarddiskVolume2\Windows\explorer.exe [7680]
13 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet(AutoRecovered).xlsx.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
14 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QI00596HELEQ6W8DUJPF.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
15 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f2f224.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]

Thumbprints
a7a48dac3aab8cbec451808d9f4bf0402afe85c38186d96ec1e9c99b0aa26e5c (pfn)

 

It seems it failed to validate the dll "Certhash could not be obtained for owner-module" this happens sometimes during upgrades of the browser, for some reason Windows cannot determine the code-sign state of that file.
And we hard fail on that. After a reboot it seems Windows resolves from this failure and all should be fine (whitelisting also works).

 

That's an interesting one, any specific action you can trigger this on?
It seems to be some CAPSLOCK signal send via SendKeys command that got caught.

Are you using macro(s) in this one?
Does it happen on different Excel files/sheets, and do you have any add-ons installed?

 

Hi Ronny,

I just opened a vanilla Excel spreadsheet and started typing in data. There should not be any macros or add-ons involved. The alerts popped up a couple of times, seemingly randomly while I was working on it. I will continue populating it and let you know if any further alerts are triggered.

Thanks for the feedback.

 

This makes sense. Chrome was trying to update at the time.

 

What is this SendKeysGuard feature about anyway?

 

Browsers (latest and older versions of Firefox, Chrome) cannot run in Sandboxie (Compatibility is enabled) if the latest stable or beta version of HitmanPro.Alert is installed. Older versions of Sandboixe could not either.

 

My guess would be something along these APIs
https://learn.microsoft.com/en-us/dotnet/api/system.windows.forms.sendkeys?view=windowsdesktop-7.0

 

It's been many many years since I used Sandboxie (used to love it though) but were I trying to troubleshoot it I'd open the resource manager I think it was called before running said app to see what was blocked (eg had an x) and move forward from there in my tests.

Just started a Win 10 21H1 VM and installed the lastest Chrome (114.0.5735.134) & HMP.A (3.8.24 build 957) & SandboxiePlus by Xantos (1.9.6) and sadly I'm not seeing any issues off the bat when trying to launch chrome inside sandboxie. Perhaps more information is needed to re-create your issue?

 

CookieGuard mitigation. HitmanPro.Alert 957 with Microsoft Edge 114.

 

On Windows 10 there is a compatibility issue with x64 applications, 32bit version of the browsers should work fine.

 

The Windows OS returns a fail code for the certificate check of the msedge.dll file, hence we have to assume it's not correctly signed.
For some reason a quirk in Windows that resolves after a reboot.

Hashes for owner-module: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.67\msedge.dll
Certhash could not be obtained for owner-module
ErrorCode: 0000014c

 

I use windows 11. The latest version. 22H2 build: 22621.2506 I always use the latest windows 11. But I DM'd you about that.

 

Ported from the same code-base, I'm pretty sure this "bug" exists on both.

 

HitmanPro.Alert 3.8.25 Build 965 (RC1)

Changelog (compared to 957)

• Added Risk Reduction New Process Protection panel
• Added RDPGuard Icon under Risk Reduction button
  
• Improved CiGuard
  
• Improved PrivGuard
  
• Improved CryptoGuard5
  
• Improved HeapHeapProtect
• Improved APC Game detection
• Improved HHP Cobal Strike detection
• Improved DrWeb Compatibility (CallerCheck/SysCall)
  
• Improved SendKeyGuard Now specific key combinations can be allowed
• Improved Lockdown Now allows WMIC GET 'only' commands without interference
• Fixed Driver BSOD under specific circumstances.
• Fixed Lockdown Bypass when loading files over UNC paths
• Removed ReflectiveDLL As it has become obsolete in it's current implementation
  
• Several other changes under the hood

Beware this build is signed with a new code-signing certificate by Sophos LTD, this might take some 3rd party vendors to have "trust" issues as it's a rather fresh certificate.



Download
https://dl.surfright.nl/hmpalert3b965.exe

Please let us know how this version runs on your machine
We're planning to promote this build to Stable if results are good in the coming week(s).

 

Thanks RonnyT.
Everything perfect.

 

Mitigation: HeapHeapProtect.

 

Thanks we'll investigate, can you use Action -> Suppress alert for now

 

Ok. This mitigation occurs when the desktop appears after finishing W10 startup.

Not again this mitigation after Suppress.

 

On my laptop the Anti-Malware/Cloud Protection is currently offline (is enabled).

 

I also just got this on first restart after installing the RC:

Spoiler: HMP.A Build 965 RC1

Mitigation HeapHeapProtect
Timestamp 2023-11-10T19:06:02

Platform 10.0.19045/x64 v965 06_5e
PID 5400
Feature 00FD2E70000001AE
Application C:\Windows\SysWOW64\XtuService.exe
Created 2021-02-24T00:19:30
Description XtuService 7.3

Callee Type ProtectVirtualMemory
0x0000023DAF252000 (189580 bytes)

Shellcode (HHP) (0x0002E48C bytes : start at 0000023DAF252000)
Target address info: Common.dll
Owner of CALLER: (anonymous; allocated by 00007FFD705EC0AA, clr.dll)

OwnerModule
Name clr.dll
Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Thumbprint 11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56
SHA-256 157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94
SHA-1 dbd9928c7e19ec7842015482b56094602c4f5cff
MD5 b53e50ccbb014395c303f0cda37ce44d

Current process is signed
OwnerModule is signed

00007FFD10E81E86 ffd0 CALL RAX
00007FFD10E81E88 488b5580 MOV RDX, [RBP-0x80]
00007FFD10E81E8C c6420c01 MOV BYTE [RDX+0xc], 0x1
00007FFD10E81E90 833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0
00007FFD10E81E97 7406 JZ 0x7ffd10e81e9f
00007FFD10E81E99 ff1589d3f35f CALL QWORD [RIP+0x5ff3d389]
00007FFD10E81E9F 894598 MOV [RBP-0x68], EAX
00007FFD10E81EA2 837d9800 CMP DWORD [RBP-0x68], 0x0
00007FFD10E81EA6 0f95c0 SETNZ AL
00007FFD10E81EA9 0fb6c0 MOVZX EAX, AL
00007FFD10E81EAC 89459c MOV [RBP-0x64], EAX
00007FFD10E81EAF 90 NOP
00007FFD10E81EB0 90 NOP
00007FFD10E81EB1 90 NOP
00007FFD10E81EB2 90 NOP
00007FFD10E81EB3 90 NOP

----- SNIP HERE -----
AAApAQAQ6BD9fwAAhh7oEP1/AAAAEOgQ/X8AAACAAQAASGPJSANN4ItV2Ehj0kgDykiJTcBpjXz///9oFjNxgfF6H5bfiY1s////6Z75//9Ii41I/v//ug8AAABIO1EIcgXoeVKrX0iNTJEQiwlIi5VA/v//uA8AAABIO0IIcgXoW1KrX0iNVIIQMwqJjQj///9Ii41I/v//uA8AAABIO0EIcgXoN1KrX0iNTIEQi5UI////iRFpjXz////M74KLgfGE54sYiY1s////6R35//+LTbjBwRuJTbxpjXz///+Rk0o5gfGub2R5iY1s////6fn4//9Ii41I/v//uggAAABIO1EIcgXo1FGrX0iNTJEQiwlIi5VA/v//uAgAAABIO0IIcgXotlGrX0iNVIIQAwqJjfj+//9Ii41I/v//uAgAAABIO0EIcgXoklGrX0iNTIEQi5X4/v//iRFpjXz///8jkfe0gfGgShZLiY1s////6Xj4//9Ii41I/v//ugIAAABIO1EIcgXoU1GrX0iNTJEQiwlIi5VA/v//uAIAAABIO0IIcgXoNVGrX0iNVIIQAwqJjeT+//9Ii41I/v//uAIAAABIO0EIcgXoEVGrX0iNTIEQi5Xk/v//iRFIi41I/v//ugMAAABIO1EIcgXo7VCrX0iNTJEQiwlIi5VA/v//uAMAAABIO0IIcgXoz1CrX0iNVIIQMwqJjeD+//9Ii41I/v//uAMAAABIO0EIcgXoq1CrX0iNTIEQi5Xg/v//iRFIi41I/v//ugQAAABIO1EIcgXoh1CrX0iNTJEQiwlIi5VA/v//uAQAAABIO0IIcgXoaVCrX0iNVIIQD68KiY3c/v//SIuNSP7//7gEAAAASDtBCHIF6ERQq19IjUyBEIuV3P7//4kRaY18////5lfqIYHxnW9oPImNbP///+kq9///M8mJTYBpjXz///9ElFyQgfFbBKkYiY1s////6Qr3//9IuTJtkW79fwAAuhAAAADoqO17X0iJhRj+//9Ii40Y/v//SImNSP7//2mNfP///7d3kQmB8TaIceiJjWz////pxvb//8dFvDpNIUHHRbiqiZhGaY18////jRwkfIHxUF4DIYmNbP///+md9v//i02UiU2waY18////LvMXvYHxWI9xLYmNbP///+l89v//M8mJTYTHhWz////g3Wsa6Wj2///HRbBsTz6kaY18////Xa6NXIHxvIZoZYmNbP///+lG9v//i02YO02ccxbHhRD////nhPgFx4UM////54T4BesUx4UQ////GmYnWseFDP///xpmJ1qLjRD///+JjWz////pA/b//0iLjVD+//8z0jkJ6PVu1l8Pt8iJjaD+//+DvaD+//88D5TBD7bJiY3U/v//6wgzwImF1P7//4uN1P7//w+2yYlN9EiLjVj+///op/v6XUiJhcj+//9Ii43I/v//6LSjA15IiYXA/v//SIuNwP7//0iJTehIi03ouDwAAABIY8CLDAFIY8lIA03oSIlN4MeFbP/////TrS3pZ/X//0iLjUj+//+4CwAAAEg7QQhyBehCTqtfSI1MgRCLCUiLhUD+//+6CwAAAEg7UAhyBegkTqtfSI1EkBADCImNrP7//0iLjUj+//+6CwAAAEg7UQhyBegATqtfSI1MkRCLhaz+//+JAUiLjUj+//+4DAAAAEg7QQhyBejcTatfSI1MgRCLCUiLhUD+//+6DAAAAEg7UAhyBei+TatfSI1EkBAzCImNqP7//0iLjUj+//+6DAAAAEg7UQhyBeiaTatfSI1MkRCLhaj+//+JAWmNfP///4TL5SKB8Tabew+JjWz////pgPT//0iLjUj+//8zwEg7QQhyBeheTatfSI1MgRCLCUiLhUD+//8z0kg7UAhyBehDTatfSI1EkBAzCImNaP7//0iLjUj+//8z0kg7UQhyBegiTatfSI1MkRCLhWj+//+JAWmNfP///3wI/fqB8dA50lSJjWz////pCPT//4tNvMHBFYlNsGmNfP///6YNR2+B8VfduTOJjWz////p5PP//0iLTaBIiY3w/v//uQQAAABIY8lIA02gSIlNoItNvEiLhfD+//8zCANNuItFtA+vRbADyIlNlItNuIlNvItNtIlNuMeFbP///7xQ4iDpk/P//0iLTehIiY2A/v//SIuNgP7//0iJjXj+//+DffQAdSVIi414/v//SImNcP7//0iLTcC4BAAAAEhjwIsMAYmNbP7//+sjSIuNeP7//0iJjXD+//9Ii03AuAwAAABIY8CLDAGJjWz+//+LjWz+//9IY8lIA41w/v//SIlN0MeFbP///4jzlj7pCfP//zPJiU2QaY18////dhoHBIHxqdSXHImNbP///+np8v//x0WIQAAAAGmNfP///6RdK1KB8UxGB7OJjWz////px/L//0iLjUD+//+LRZBIO0EIcgXopEurX0iNTIEQi0W4iQFpjXz////H1q97gfH/L/eEiY1s////6Y3y//+QSI1l+F9dw0iLjUj+//+4CQAAAEg7QQhyBehgS6tfSI1MgRCLCUiLhUD+//+6CQAAAEg7UAhyBehCS6tfSI1EkBAzCImNLP///0iLjUj+//+6CQAAAEg7UQhyBegeS6tfSI1MkRCLhSz///+JAUiLjUj+//+4CgAAAEg7QQhyBej6SqtfSI1MgRCLCUiLhUD+//+6CgAAAEg7UAhyBejcSqtfSI1EkBAPrwiJjSj///9Ii41I/v//ugoAAABIO1EIcgXot0qrX0iNTJEQi4Uo////iQFpjXz///+j+SfVgfGOG3YViY1s////6Z3x//+LTYD/wYlNgGmNfP///zg7+ieB8bP/NDKJjWz////pevH//8dFtKSlamRpjXz///9xTIjVgfEKkipkiY1s////6Vjx//9Ii03guAYAAABIY8APtwwBiU3caY18////uPoIaYHxAm1YAYmNbP///+kq8f//i02wiU24aY18////JlNhyYHxPKo9NYmNbP///+kJ8f//g32IQHUWx4VE////772DMseFQP///++9gzLrFMeFRP///7Y6MXPHhUD///+2OjFzaY18////efme9TONRP///4mNbP///+m+8P//SIuNUP7//zkJ6HJq1l+Jhdj+//+Dvdj+//8AD47I+v//aYV8////c5Dk+DVx87njiYVs////6YPw//+LRbTBwB2JRbiLRbDBwBmJRbRphXz////spwBRNYosRLeJhWz////pV/D//4N9qAB0FseFjP7//5zL+h7HhYj+//+cy/oe6xTHhYz+//8aZidax4WI/v//GmYnWouFjP7//4mFbP///+kW8P//gX2ofMkhHHUWx4Uk////fRmH6seFIP///30Zh+rrFMeFJP///yGQ4KHHhSD///8hkOChaYV8////RivyEjOFJP///4mFbP///+nI7///M8CJRaxphXz///8uYFjpNRRrTpeJhWz////pqe///0iLhUj+//+LVYSD4g+L0otICEg70XIF6H9Iq19IjUSQEIsASItV0DECSItF0EiJhTj///+4BAAAAEhjwEgDRdBIiUXQSIuFSP7//4tVhIPiD4vSi0gISDvRcgXoO0irX0iNRJAQiwBIi5U4////MwIFGSi7PYmFNP///0iLhUj+//+LVYSD4g+L0otICEg70XIF6ARIq19IjUSQEIuVNP///4kQx4Vs////NoJtPen27v//uCAAAABIY8BIA0XASIlFwItFrP/AiUWsx4Vs////bMW4VunP7v//SIuFSP7//7oNAAAASDtQCHIF6KpHq19IjUSQEIsASIuVQP7//7kNAAAASDtKCHIF6IxHq19IjVSKEA+vAomFBP///0iLhUj+//+5DQAAAEg7SAhyBehnR6tfSI1EiBCLlQT///+JEEiLhUj+//+6DgAAAEg7UAhyBehDR6tfSI1EkBCLAEiLlUD+//+5DgAAAEg7SghyBeglR6tfSI1UihADAomFAP///0iLhUj+//+5DgAAAEg7SAhyBegBR6tfSI1EiBCLlQD///+JEGmFfP///2VXUGg1qvR5PomFbP///+no7f//SItFwEiJhZj+//+4BAAAAEhjwEgDRcBIiUXASItFwEiJhZD+//+4BAAAAEhjwEgDRcBIiUXASIuFmP7//4sASIuVkP7//w+vAolFqMeFbP///2N1zXjpje3//5BIjWX4X13DAAAAAAAAAM8FAACOBgAAZA0AAP8DAADtCwAA4BIAANoMAABQBwAApRAAAKwBAAAWEAAAQw8AAIUSAADMAAAA8w4AAGMJAADxCQAA4A0AAGoKAABDCQAA2gEAAGUMAAAGCwAAhA0AAKYEAADQCQAA0QMAAC0FAACvDwAA9QcAAGMAAABbAgAAiQwAAOwAAAB0BwAANQMAAOkEAACeEQAA6g8AANAOAADPBgAApwkAACcKAACeAgAAFQ8AAHcRAABuBQAAkQUAAFcQAADoDQAAtgMAAIEEAACRAQAApg0AAO0CAAAFCgAAxBAAAGQPAAAPAQAABAYAABkJBAAJAUEAAnABUEAAAAAAAAAAAAAAAPgL8BD9fwAAVUFXQVZBVUFUV1ZTSIHsuAAAAEiNrCTwAAAATImVeP///zPbSIldoEiJTRCJVRhEiUUgTIlNKEiNjUD///9Ji9LoiidpX0iJRYBIi8xIiY1g////SIvNSImNcP///0iLTYBIjYVA////SIlBEEiLjXj////o1/t3X0UzyUSJTcSQTItNEEyJTbiQkESLTRhNY8lMiU2wkJBEi00gTWPJTIlNqJCQTItNKEyJTaCQkJBMi414////uSAAAABIY8lNiwwJTYsJTIlNkJBMi02gSItNuEiLVbBMi0WoRTPbSIuFeP///0iJhVD///9IjQUVAAAASImFaP///0iLRYDGQAwASItFkP/QSItVgMZCDAGDPX229F8AdAb/FYnT81+JRZiDfZgAD5XAD7bAiUWckJCQkJCQkJCQi0WciUWM6wCLRYwPtsBIi1WAxkIMAUiLVYBIi41I////SIlKEEiNZchbXl9BXEFdQV5BX13DAAAZEwoAEwEXAAwwC2AKcAnAB9AF4APwAVBAAAAAAAAAAAAAAAAAAAAAyAzwEP1/AABVV0iB7DgBAABIjawkQAEAAEiNveD+//+5RgAAADPA86uDPegm7/8AdAXoMRarX8dF9MAAAADHRdDnUkZCi0XQNQGN3QiJRcyLRcyJRdSLRcy5JwAAADPS9/GJlUj///+DvUj///8mdx6LlUj///+L0kiNDeAMAACLDJFIjQWf////SAPI/+GQ6cMMAABIi5U4////i03cSDtKCHIF6B5Dq19IjVSKEEiJlSD///+LVdhIi40g////MRFpVdRY8UKNgfIH4Ic3iVXQ6W7///+LVfTB4gKL0ki5yk+Rbv1/AP4pAv+5RikDADPA86uDPegm7/8AdAXoMRarX8dF9MAp
----- END SNIP -----

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFD86CDC976 KernelBase.dll VirtualProtect +0x36

2 00007FFD10E81E88 (anonymous; clr.dll)
488b5580 MOV RDX, [RBP-0x80]
c6420c01 MOV BYTE [RDX+0xc], 0x1
833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0
7406 JZ 0x7ffd10e81e9f
ff1589d3f35f CALL QWORD [RIP+0x5ff3d389]
894598 MOV [RBP-0x68], EAX
837d9800 CMP DWORD [RBP-0x68], 0x0
0f95c0 SETNZ AL
0fb6c0 MOVZX EAX, AL
89459c MOV [RBP-0x64], EAX
90 NOP
90 NOP
90 NOP
90 NOP
90 NOP
90 NOP

3 00007FFD10E978A0 (anonymous; clr.dll)
4 00007FFD10E96CCB (anonymous; clr.dll)
5 00007FFD706412C3 clr.dll
6 00007FFD7050961B clr.dll
7 00007FFD705095AF clr.dll
8 00007FFD70509445 clr.dll
9 00007FFD7050931C clr.dll
10 00007FFD7050BA21 clr.dll

Loaded Modules (5
-----------------------------------------------------------------------------
0000023D96010000-0000023D96026000 XtuService.exe (Intel(R) Corporation),
version: 7.3.0.33
00007FFD89590000-00007FFD89788000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD877D0000-00007FFD8788D000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD710E0000-00007FFD71145000 MSCOREE.DLL (Microsoft Corporation),
version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFD86C70000-00007FFD86F66000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD869D0000-00007FFD86B17000 hmpalert.dll (Sophos B.V.),
version: 3.8.25.965
00007FFD87890000-00007FFD8793E000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD879A0000-00007FFD87A3E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.3636 (WinBuild.160101.0800)
00007FFD88490000-00007FFD8852C000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD87AB0000-00007FFD87BD6000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD70EA0000-00007FFD70F3B000 mscoreei.dll (Microsoft Corporation),
version: 4.8.9093.0 built by: NET481REL1LAST_C
00007FFD87940000-00007FFD87995000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD84A00000-00007FFD84A12000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD82300000-00007FFD8230A000 VERSION.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD704B0000-00007FFD70E54000 clr.dll (Microsoft Corporation),
version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFD882C0000-00007FFD8845E000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD875C0000-00007FFD875E2000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD893E0000-00007FFD8940C000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD870A0000-00007FFD871BA000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD87310000-00007FFD873AD000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86FA0000-00007FFD870A0000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD70E80000-00007FFD70E8C000 VCRUNTIME140_1_CLR0400.dll (Microsoft Corporation),
version: 14.32.31326.0
00007FFD700D0000-00007FFD700EB000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation),
version: 14.32.31326.0
00007FFD70000000-00007FFD700CD000 ucrtbase_clr0400.dll (Microsoft Corporation),
version: 14.32.31326.0
00007FFD88460000-00007FFD88490000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD6E910000-00007FFD6FF1F000 mscorlib.ni.dll (Microsoft Corporation),
version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFD89420000-00007FFD8954B000 ole32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD87D60000-00007FFD880B4000 combase.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD871C0000-00007FFD87242000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD863E0000-00007FFD863F8000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD85B20000-00007FFD85B54000 rsaenh.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86F70000-00007FFD86F97000 bcrypt.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86400000-00007FFD8640C000 CRYPTBASE.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD6E5A0000-00007FFD6E6CF000 clrjit.dll (Microsoft Corporation),
version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFD86490000-00007FFD864BD000 wldp.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7EA30000-00007FFD7EA4F000 amsi.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86B20000-00007FFD86B4E000 USERENV.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86BA0000-00007FFD86BC5000 profapi.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7E980000-00007FFD7EA2E000 symamsi.dll (Broadcom),
version: 15.7.12.41
00007FFD872A0000-00007FFD87307000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD87460000-00007FFD875BD000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD88530000-00007FFD88C74000 SHELL32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD88C90000-00007FFD88D5D000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD86620000-00007FFD86632000 MSASN1.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD877B0000-00007FFD877CD000 imagehlp.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD853B0000-00007FFD853D3000 gpapi.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD6D680000-00007FFD6E29C000 System.ni.dll (Microsoft Corporation),
version: 4.8.9172.0 built by: NET481REL1LAST_C
00007FFD6D170000-00007FFD6D1B6000 System.ServiceProcess.ni.dll (Microsoft Corporation),
version: 4.8.9037.0 built by: NET481REL1
00007FFD69B10000-00007FFD69B3D000 System.Configuration.Install.ni.dll (Microsoft Corporation),
version: 4.8.9037.0 built by: NET481REL1
00007FFD698E0000-00007FFD69A46000 System.Management.ni.dll (Microsoft Corporation),
version: 4.8.9037.0 built by: NET481REL1
00007FFD698B0000-00007FFD698DF000 wminet_utils.dll (Microsoft Corporation),
version: 4.8.9037.0 built by: NET481REL1
00007FFD87700000-00007FFD877A9000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
00007FFD7EAF0000-00007FFD7EB18000 wmiutils.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7F450000-00007FFD7F4E0000 wbemcomn.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7F520000-00007FFD7F531000 wbemprox.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD87A40000-00007FFD87AAB000 WS2_32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7EB50000-00007FFD7EB64000 wbemsvc.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
00007FFD7ED60000-00007FFD7EE6B000 fastprox.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)

Process Trace
1 C:\Windows\SysWOW64\XtuService.exe [5400]
2 C:\Windows\System32\services.exe [468]
3 C:\Windows\System32\wininit.exe [936]
wininit.exe
4 C:\Windows\System32\smss.exe [576]
\SystemRoot\System32\smss.exe 000000c8 00000084
5 C:\Windows\System32\smss.exe [428]
\SystemRoot\System32\smss.exe
6 [4]

Dropped Files
1 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\diStRptr\diStRptr.dat.log
Dropped by [4]

Thumbprints
4c28fef8ba7bdf053228228d788b6b56d3810d7c444179937a330ca07200a7ad (code)
11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 (hhp-ownermodule)
47eda548bb173b4a61d8e830851e0805266d272daa77eb53f4a572d0e776c528 (hhp-fhsh-ownmod)

 

Intel(R) Extreme Tuning Utility, same as Deugniet.
Please use Action -> Suppress alert for now, looks like a FP

 

@deugniet & @Krusty which previous version Alert where you running? 957?

 

Yes, I was using 957.

 

Updated from 957, everything fine so far. No Intel Extreme Tuning Utility installed.