937 RC3 fixes all the problems I was seeing. Running for a couple hours now with 0 issues. Looking good, thanks!
Few logs from Build 939 RC3 Spoiler: Origin - RemoteThreadGuard Code: Mitigation RemoteThreadGuard Timestamp 2022-03-28T20:21:37 Platform 10.0.19044/x64 v939 8f_01 PID 2900 Feature 007D0A30000000A6 Application E:\Origin\igoproxy64.exe Created 2022-03-28T17:36:04 Description igoproxy64.exe ======================================================== == Current process information == ======================================================== ImageBase: 00007FF6868C0000 SHA-256 7efaf7e77bf348bc9eeebb3bdddbd3403e80b040682c8725a21592b8d6fb6888 SHA-1 98eb8f1165399d903b97d36d8fe6187cb989d139 MD5 8b00fab8363d848e4484288d404cc413 Process has authenticode SubjectHash: 37703c58 ======================================================== == Caller information == ======================================================== Caller: 00007FF87F9E0BC6 Caller located on Heap: FALSE OwnerModule: igo64.dll OwnerModule full path: E:\Origin\igo64.dll SHA-256 7922ceb6c1b6e8e38628f3fbc41ae618083fff5faa0f22a0ff1937d61a023756 SHA-1 a78270355f90f95b9c4528a9ff290725db537cf8 MD5 303fb61f8a8e0f6402d94288f93df7c9 SubjectHash: 37703c58 ======================================================== == Remote code information == ======================================================== RemoteProcessName: Z:\Muut Pelit\Battlefield 4\bf4.exe RemoteProcessPID: 18868 Code start: 0000000000180000 AllocationBase: 0000000000180000 AllocationProtect: 0x40 BaseAddress: 0000000000180000 RegionSize: 0x1000 State: 0x1000 Protect: 0x40 Type: 0x20000 Owner: (00) remoteMemOwnerProcessId: 2900 remoteMemOwnerProcessName: remoteMemOwnerAddressName: E:\Origin\igo64.dll Thread DP: N Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FF8CCA0557F KernelBase.dll CreateRemoteThreadEx +0x29f 2 00007FF8CD6CAB58 kernel32.dll CreateRemoteThread +0x38 3 00007FF87F9E0BC6 igo64.dll 4889442478 MOV [RSP+0x78], RAX 48837c247800 CMP QWORD [RSP+0x78], 0x0 753f JNZ 0x7ff87f9e0c12 ff15bfc70800 CALL QWORD [RIP+0x8c7bf] 89442464 MOV [RSP+0x64], EAX e88e7affff CALL 0x7ff87f9d8670 8b4c2464 MOV ECX, [RSP+0x64] 894c2428 MOV [RSP+0x28], ECX 488d0ddf210a00 LEA RCX, [RIP+0xa21df] 48894c2420 MOV [RSP+0x20], RCX 4533c9 XOR R9D, R9D 41b870030000 MOV R8D, 0x370 488d153a1c0a00 LEA RDX, [RIP+0xa1c3a] 4 00007FF87F9E322D igo64.dll 5 00007FF87F9E1035 igo64.dll 6 00007FF87F9E0E35 igo64.dll 7 00007FF6868C40D2 igoproxy64.exe 8 00007FF6868C431A igoproxy64.exe 9 00007FF6868C5C33 igoproxy64.exe 10 00007FF8CD6A7034 kernel32.dll BaseThreadInitThunk +0x14 Loaded Modules (27) ----------------------------------------------------------------------------- 00007FF6868C0000-00007FF6868D1000 igoproxy64.exe (), version: 00007FF8CEFB0000-00007FF8CF1A5000 ntdll.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CD690000-00007FF8CD74E000 KERNEL32.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CC350000-00007FF8CC46A000 hmpalert.dll (SurfRight B.V.), version: 3.8.20.939 00007FF8CC9D0000-00007FF8CCC98000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8C9D90000-00007FF8C9E20000 apphelp.dll (Microsoft Corporation), version: 10.0.19041.1320 (WinBuild.160101.0800) 00007FF8CD780000-00007FF8CD920000 USER32.dll (Microsoft Corporation), version: 10.0.19041.1503 (WinBuild.160101.0800) 00007FF8CCFE0000-00007FF8CD002000 win32u.dll (Microsoft Corporation), version: 10.0.19041.1586 (WinBuild.160101.0800) 00007FF8CD750000-00007FF8CD77B000 GDI32.dll (Microsoft Corporation), version: 10.0.19041.1202 (WinBuild.160101.0800) 00007FF8CCCA0000-00007FF8CCDAB000 gdi32full.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CCE40000-00007FF8CCEDD000 msvcp_win.dll (Microsoft Corporation), version: 10.0.19041.789 (WinBuild.160101.0800) 00007FF8CCEE0000-00007FF8CCFE0000 ucrtbase.dll (Microsoft Corporation), version: 10.0.19041.789 (WinBuild.160101.0800) 00007FF8CD920000-00007FF8CE064000 SHELL32.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8A3ED0000-00007FF8A3EEB000 VCRUNTIME140.dll (Microsoft Corporation), version: 14.31.31103.0 00007FF8CEE10000-00007FF8CEE40000 IMM32.DLL (Microsoft Corporation), version: 10.0.19041.546 (WinBuild.160101.0800) 00007FF8CEA00000-00007FF8CEAAD000 shcore.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CEED0000-00007FF8CEF6E000 msvcrt.dll (Microsoft Corporation), version: 7.0.19041.546 (WinBuild.160101.0800) 00007FF8CEAB0000-00007FF8CEE04000 combase.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CE1C0000-00007FF8CE2E5000 RPCRT4.dll (Microsoft Corporation), version: 10.0.19041.1466 (WinBuild.160101.0800) 00007FF87F990000-00007FF87FC05000 igo64.dll (Electronic Arts), version: 10,5,111,50299 00007FF8CD560000-00007FF8CD68A000 ole32.dll (Microsoft Corporation), version: 10.0.19041.1202 (WinBuild.160101.0800) 00007FF8CE950000-00007FF8CE9FE000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.19041.1466 (WinBuild.160101.0800) 00007FF8CD310000-00007FF8CD3AC000 sechost.dll (Microsoft Corporation), version: 10.0.19041.1586 (WinBuild.160101.0800) 00007FF892390000-00007FF89241E000 MSVCP140.dll (Microsoft Corporation), version: 14.31.31103.0 00007FF8BFCE0000-00007FF8BFD07000 WINMM.dll (Microsoft Corporation), version: 10.0.19041.546 (WinBuild.160101.0800) 00007FF8BA0B0000-00007FF8BA0BC000 VCRUNTIME140_1.dll (Microsoft Corporation), version: 14.31.31103.0 00007FF8CB3D0000-00007FF8CB403000 ntmarta.dll (Microsoft Corporation), version: 10.0.19041.546 (WinBuild.160101.0800) Process Trace 1 E:\Origin\igoproxy64.exe [2900] E:\Origin\igoproxy64.exe 18868 6096 2 Z:\Muut Pelit\Battlefield 4\BF4WebHelper.exe [712] 3 Z:\Muut Pelit\Battlefield 4\BFLauncher.exe [6744] "Z:\Muut Pelit\Battlefield 4\BFLauncher.exe" 4 E:\Origin\Origin.exe [15452] "E:\Origin\Origin.exe" /noUpdate /Autostart:false Dropped Files 1 C:\Users\Tuomas\AppData\Local\Origin\Logs\IGO_Log.igoproxy64_2900.txt Dropped by \Device\HarddiskVolume6\Origin\igoproxy64.exe [2900] 1 C:\Users\Tuomas\AppData\Local\Origin\Logs\IGO_Log.BF4WebHelper_712.txt Dropped by \Device\HarddiskVolume10\Muut Pelit\Battlefield 4\BF4WebHelper.exe [712] 1 C:\Users\Tuomas\AppData\Local\Origin\Logs\IGO_Log.BFLauncher_6744.txt Dropped by \Device\HarddiskVolume10\Muut Pelit\Battlefield 4\BFLauncher.exe [6744] 1 C:\Users\Tuomas\AppData\Roaming\Origin\local_54d649a70f8f5e17b8a074eaab866109.xml.lock Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 2 C:\Users\Tuomas\AppData\Roaming\Origin\local_54d649a70f8f5e17b8a074eaab866109.xml.s15452 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 3 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\bdbd3eba26bbf80a56288dc093257349.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 4 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\9baf2d2a48645ea5c037b0a4fdac67cb.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 5 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\30d2ee99a16ea818f2e5a3bf553df734.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 6 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\7ba67cab41b9d29aba45ee3d60c70a47.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 7 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\6ca8e928d1268515d69226abacf1166c.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 8 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\cdbd2b0f13927f2163cf328935b46495.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 9 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\17dcd92a1573c6c606cea840eb6bf23c.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 10 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\67a69d9ef2051cb5720b2b8390b89a7b.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 11 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\bd8f4121a8bea7be896c92b849fc340c.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 12 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\57e3656c24f489da2db4dbc8c1c8dab1.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 13 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\f88ef375d9101a79160cb1aa3df8eed8.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 14 C:\Users\Tuomas\AppData\Local\Origin\AvatarsCache\3e956295e70275ccf57aaf367e05502f.jpg Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 15 C:\Users\Tuomas\AppData\Local\Origin\Web Cache\prepared\p15452.d Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 16 C:\Users\Tuomas\AppData\Local\Temp\Origin.p15452 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 17 C:\Users\Tuomas\AppData\Local\Temp\Origin.H15452 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 18 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\temp-index Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 19 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFb755f5.TMP Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 20 C:\Users\Tuomas\AppData\Roaming\Origin\local_54d649a70f8f5e17b8a074eaab866109.xml.W15452 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 21 C:\Users\Tuomas\AppData\Local\Temp\etilqs_6XziWJjh6rd6CrX Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 22 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\index Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 23 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\index-dir\temp-index Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 24 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\9df6045eb6fc1474_0 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 25 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\f7f0dacd3cfad742_0 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 26 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\a31ff2b03e16b07b_0 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 27 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\6356bfa06817ba49_0 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 28 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000e5 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 29 C:\Users\Tuomas\AppData\Roaming\Origin\local_54d649a70f8f5e17b8a074eaab866109.xml.g15452 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 30 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000e6 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 31 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000e7 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 32 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000e8 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 33 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000e9 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 34 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000ea Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 35 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000eb Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 36 C:\Users\Tuomas\AppData\Local\Origin\Origin\cache\QtWebEngine\Default\Cache\f_0000ec Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 37 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\4dab245d6b8adb17_0 Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 38 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\0a10de17-e333-45f7-b7d1-5e2bb66b1559\index-dir\temp-index Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 39 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\0a10de17-e333-45f7-b7d1-5e2bb66b1559\index-dir\the-real-index~RFc186e8.TMP Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 40 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\CacheStorage\c588a44589f587eae21a269f7faf460318ef682f\e3734c06-cf05-480f-87e4-bdb681898b6b\index-dir\the-real-index~RFc197ef.TMP Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 41 C:\Users\Tuomas\AppData\Local\Origin\Origin\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFc1abf4.TMP Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] 42 C:\Users\Tuomas\AppData\Local\Origin\Web Cache\prepared\D15452.d Dropped by \Device\HarddiskVolume6\Origin\Origin.exe [15452] Thumbprints N/A Spoiler: Lockdown - Whatsapp Desktop Code: Mitigation Lockdown Timestamp 2022-03-28T17:01:24 Platform 10.0.19044/x64 v939 8f_01 PID 15576 Feature 007D0A34000020B6 Application C:\Windows\System32\cmd.exe Created 2022-01-26T23:17:08 Description Windows Command Processor 10 Filename C:\Windows\system32\wbem\WMIC.exe Command line: C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value Loaded Modules (24) ----------------------------------------------------------------------------- 00007FF76B810000-00007FF76B877000 cmd.exe (Microsoft Corporation), version: 10.0.19041.746 (WinBuild.160101.0800) 00007FF8CEFB0000-00007FF8CF1A5000 ntdll.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CD690000-00007FF8CD74E000 KERNEL32.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CC350000-00007FF8CC46A000 hmpalert.dll (SurfRight B.V.), version: 3.8.20.939 00007FF8CC9D0000-00007FF8CCC98000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CEED0000-00007FF8CEF6E000 msvcrt.dll (Microsoft Corporation), version: 7.0.19041.546 (WinBuild.160101.0800) 00007FF8CEAB0000-00007FF8CEE04000 combase.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CCEE0000-00007FF8CCFE0000 ucrtbase.dll (Microsoft Corporation), version: 10.0.19041.789 (WinBuild.160101.0800) 00007FF8CE1C0000-00007FF8CE2E5000 RPCRT4.dll (Microsoft Corporation), version: 10.0.19041.1466 (WinBuild.160101.0800) 00007FF8CC5D0000-00007FF8CC5FE000 USERENV.dll (Microsoft Corporation), version: 10.0.19041.572 (WinBuild.160101.0800) 00007FF8CC610000-00007FF8CC62F000 profapi.dll (Microsoft Corporation), version: 10.0.19041.844 (WinBuild.160101.0800) 00007FF8CE950000-00007FF8CE9FE000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.19041.1466 (WinBuild.160101.0800) 00007FF8CD310000-00007FF8CD3AC000 sechost.dll (Microsoft Corporation), version: 10.0.19041.1586 (WinBuild.160101.0800) 00007FF8CD780000-00007FF8CD920000 USER32.dll (Microsoft Corporation), version: 10.0.19041.1503 (WinBuild.160101.0800) 00007FF8CCFE0000-00007FF8CD002000 win32u.dll (Microsoft Corporation), version: 10.0.19041.1586 (WinBuild.160101.0800) 00007FF8CD750000-00007FF8CD77B000 GDI32.dll (Microsoft Corporation), version: 10.0.19041.1202 (WinBuild.160101.0800) 00007FF8CCCA0000-00007FF8CCDAB000 gdi32full.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CCE40000-00007FF8CCEDD000 msvcp_win.dll (Microsoft Corporation), version: 10.0.19041.789 (WinBuild.160101.0800) 00007FF8CEE10000-00007FF8CEE40000 IMM32.DLL (Microsoft Corporation), version: 10.0.19041.546 (WinBuild.160101.0800) 00007FF8CD920000-00007FF8CE064000 SHELL32.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CA6E0000-00007FF8CAE74000 windows.storage.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CC010000-00007FF8CC03C000 Wldp.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CEA00000-00007FF8CEAAD000 SHCORE.dll (Microsoft Corporation), version: 10.0.19041.1566 (WinBuild.160101.0800) 00007FF8CD170000-00007FF8CD1C5000 shlwapi.dll (Microsoft Corporation), version: 10.0.19041.1023 (WinBuild.160101.0800) Process Trace 1 C:\Windows\System32\cmd.exe [15576] C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value" 2 C:\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 3 C:\Users\Tuomas\AppData\Local\WhatsApp\WhatsApp.exe [2568] 4 C:\Windows\explorer.exe [6920] Dropped Files 1 C:\Users\Tuomas\AppData\Local\Temp\ad17907c-a799-40d4-b268-c42eee06197f.tmp Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 2 C:\USERS\TUOMAS\APPDATA\ROAMING\WHATSAPP\SETTINGS.JSON Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 3 C:\Users\Tuomas\AppData\Roaming\WhatsApp\IndexedDB\file__0.indexeddb.leveldb\LOG.old~RFfe2f4.TMP Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 4 C:\Users\Tuomas\AppData\Roaming\WhatsApp\IndexedDB\file__0.indexeddb.leveldb\LOG Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 5 C:\Users\Tuomas\AppData\Roaming\WhatsApp\Session Storage\LOG.old~RFfe304.TMP Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 6 C:\Users\Tuomas\AppData\Roaming\WhatsApp\Session Storage\LOG Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 7 C:\Users\Tuomas\AppData\Roaming\WhatsApp\File System\Origins\LOG.old~RFfe517.TMP Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 8 C:\Users\Tuomas\AppData\Roaming\WhatsApp\File System\Origins\LOG Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 9 C:\Users\Tuomas\AppData\Roaming\WhatsApp\main-process.log Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] 10 C:\Users\Tuomas\AppData\Local\Temp\2fd7dcf7-66b6-4b8a-8738-7d11e50a60fd.tmp Dropped by \Device\HarddiskVolume3\Users\Tuomas\AppData\Local\WhatsApp\app-2.2208.15\WhatsApp.exe [6868] Thumbprints 60dee3b11f85fad463b6963502312bdca19f821405ac12f6495f472c9f8bc67a
I'm currently running HMPA RC build 939 on a machine that's infected, and was wondering if anyone from the HMPA team can help me figure out the infection source. HMPA does detect malware activity, so I can provide logs. I don't have a license for HMPA, I don't know if I can contact official support to get some insight. I can disinfect the machine, but the infection keeps popping back up from time to time, so I'm basically running a honeypot now... Thanks in advance.
Wow, very cool that you guys keep coming up with new stuff, I mean security wise. I hope you guys can figure out how to keep false positives at a minimum.
Auto-updated and rebooted from build 937 RC2 into build 939 RC3 a few days ago and I have not experienced any issues.
hello, i got one question. in the exploit settings of each browser there is a option which is deactivated by default its = SendKey (Prevents sending key events) what does this option do and should i activate it ? thx
Hi, Please send the alert details and other info that is useful to support@hitmanpro.com and we'll take it from there.
It should only be activated on Office applications, there is a programmatic way in macro's that can be abused called "SendKeys" this blocks those attempts.
thanks, at first i would enable it then disables itself, just checked now that it detects my keyboard.
I got these when I double-click an .epub file to open it with Koodo Reader: Spoiler: Lockdown1 Mitigation Lockdown Timestamp 2022-04-25T14:59:12 Platform 10.0.22000/x64 v939 06_8e% PID 2464 Feature 007D4B361F9F01B2 Application D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe Created 2022-03-18T14:40:47 Description Koodo Reader 1.3.9 Filename C:\WINDOWS\system32\cscript.exe Command line: cscript C:\Users\JXY\AppData\Local\Temp\node-font-list-fonts.vbs Loaded Modules (51) ----------------------------------------------------------------------------- 00007FF620170000-00007FF628815000 Koodo Reader.exe (App by Troye), version: 1.3.9.780 00007FFD05640000-00007FFD05849000 ntdll.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD022F0000-00007FFD0240A000 hmpalert.dll (SurfRight B.V.), version: 3.8.20.939 00007FFD03C00000-00007FFD03CBD000 KERNEL32.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD02DA0000-00007FFD03114000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD03B20000-00007FFD03BF6000 OLEAUT32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD03380000-00007FFD0341D000 msvcp_win.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02B30000-00007FFD02C41000 ucrtbase.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD04520000-00007FFD04898000 combase.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD034E0000-00007FFD03600000 RPCRT4.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD054A0000-00007FFD0550F000 WS2_32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD03120000-00007FFD03282000 CRYPT32.dll (Microsoft Corporation), version: 10.0.22000.348 (WinBuild.160101.0800) 00007FFC887B0000-00007FFC88BA4000 ffmpeg.dll (), version: 00007FFCC93E0000-00007FFCC981E000 UIAutomationCore.DLL (Microsoft Corporation), version: 7.2.22000.1 (WinBuild.160101.0800) 00007FFD00560000-00007FFD00781000 dbghelp.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFCD5600000-00007FFCD5607000 MSIMG32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD04B90000-00007FFD04BB9000 GDI32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02C50000-00007FFD02C76000 win32u.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD02C80000-00007FFD02D92000 gdi32full.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD050E0000-00007FFD0528C000 USER32.dll (Microsoft Corporation), version: 10.0.22000.282 (WinBuild.160101.0800) 00007FFCFBC00000-00007FFCFBC33000 WINMM.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD04BC0000-00007FFD04C63000 msvcrt.dll (Microsoft Corporation), version: 7.0.22000.1 (WinBuild.160101.0800) 00007FFD01600000-00007FFD0162D000 IPHLPAPI.DLL (Microsoft Corporation), version: 10.0.22000.282 (WinBuild.160101.0800) 00007FFCFBB30000-00007FFCFBB3A000 VERSION.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD01F90000-00007FFD01FB9000 USERENV.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFCE9A10000-00007FFCE9C6F000 DWrite.dll (Microsoft Corporation), version: 10.0.22000.258 (WinBuild.160101.0800) 00007FFCD6E60000-00007FFCD6EFB000 WINSPOOL.DRV (Microsoft Corporation), version: 10.0.22000.348 (WinBuild.160101.0800) 00007FFCF0E40000-00007FFCF0E4C000 Secur32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFCFB4C0000-00007FFCFB5CC000 WINHTTP.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD052F0000-00007FFD0538E000 sechost.dll (Microsoft Corporation), version: 10.0.22000.556 (WinBuild.160101.0800) 00007FFCFC3C0000-00007FFCFC3DE000 dhcpcsvc.DLL (Microsoft Corporation), version: 10.0.22000.71 (WinBuild.160101.0800) 00007FFD01CF0000-00007FFD01D32000 SSPICLI.DLL (Microsoft Corporation), version: 10.0.22000.556 (WinBuild.160101.0800) 00007FFD05460000-00007FFD05491000 IMM32.DLL (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD03300000-00007FFD0337F000 bcryptPrimitives.dll (Microsoft Corporation), version: 10.0.22000.376 (WinBuild.160101.0800) 00007FFD053B0000-00007FFD0545E000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.22000.434 (WinBuild.160101.0800) 00007FFD02210000-00007FFD0221C000 CRYPTBASE.DLL (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02260000-00007FFD022AD000 powrprof.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02230000-00007FFD02243000 UMPDC.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFCFFD50000-00007FFCFFDFC000 uxtheme.dll (Microsoft Corporation), version: 10.0.22000.120 (WinBuild.160101.0800) 00007FFD01EF0000-00007FFD01F57000 mswsock.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD03CC0000-00007FFD0446F000 SHELL32.dll (Microsoft Corporation), version: 10.0.22000.593 (WinBuild.160101.0800) 00007FFD05510000-00007FFD055FA000 shcore.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD01AD0000-00007FFD01AE8000 kernel.appcore.dll (Microsoft Corporation), version: 10.0.22000.71 (WinBuild.160101.0800) 00007FFD03A20000-00007FFD03A29000 NSI.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFCFC160000-00007FFCFC179000 dhcpcsvc6.DLL (Microsoft Corporation), version: 10.0.22000.71 (WinBuild.160101.0800) 00007FFD01670000-00007FFD01758000 DNSAPI.dll (Microsoft Corporation), version: 10.0.22000.593 (WinBuild.160101.0800) 00007FFCFFFC0000-00007FFCFFFF4000 ntmarta.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02A60000-00007FFD02A81000 profapi.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD00B40000-00007FFD013A8000 windows.storage.dll (Microsoft Corporation), version: 10.0.22000.593 (WinBuild.160101.0800) 00007FFD009D0000-00007FFD00B36000 wintypes.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD05290000-00007FFD052ED000 shlwapi.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) Process Trace 1 D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [2464] "D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe" --type=renderer --user-data-dir="C:\Users\JXY\AppData\Roaming\koodo-reader" --app-path="D:\Users\JXY\AppData\Local\Programs\Koodo Reader\resources\app.asar" --no-sandbox --no-zygote --fiel 2 D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] "D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe" "E:\book\novel\test1.epub" 3 C:\Windows\explorer.exe [9252] Dropped Files 1 C:\Users\JXY\AppData\Local\Temp\node-font-list-fonts.vbs Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [2464] 1 C:\Users\JXY\AppData\Roaming\koodo-reader\Local Storage\leveldb\LOG.old~RF245043.TMP Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 2 C:\Users\JXY\AppData\Roaming\koodo-reader\Local Storage\leveldb\LOG Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 3 C:\Users\JXY\AppData\Local\Temp\fb556d02-3d20-4fce-98f5-e3ff9c049ea8.tmp Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 4 C:\Users\JXY\AppData\Roaming\koodo-reader\IndexedDB\file__0.indexeddb.leveldb\LOG.old~RF24568d.TMP Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 5 C:\Users\JXY\AppData\Roaming\koodo-reader\IndexedDB\file__0.indexeddb.leveldb\LOG Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 1 C:\Users\JXY\AppData\Local\Microsoft\Windows\INetCache\IE\3B0S0GKS\LightRainV3[1].png Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 2 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\test.epub.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 3 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\novel.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 4 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\test1.epub.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] Thumbprints 05ee4c6ff9b3482738f0f25918f27669ba4ff458f2d8712121f10fe64b87f8e7 Spoiler: Lockdown2 Mitigation Lockdown Timestamp 2022-04-25T14:59:12 Platform 10.0.22000/x64 v939 06_8e% PID 17260 Feature 007D0A36000001B6 Application C:\Windows\System32\cmd.exe Created 2021-11-07T05:30:37 Description Windows 命令处理程序 10 Filename C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe Command line: powershell -command "chcp 65001;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}" Loaded Modules (25) ----------------------------------------------------------------------------- 00007FF65C0B0000-00007FF65C11C000 cmd.exe (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD05640000-00007FFD05849000 ntdll.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD03C00000-00007FFD03CBD000 KERNEL32.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD022F0000-00007FFD0240A000 hmpalert.dll (SurfRight B.V.), version: 3.8.20.939 00007FFD02DA0000-00007FFD03114000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD04BC0000-00007FFD04C63000 msvcrt.dll (Microsoft Corporation), version: 7.0.22000.1 (WinBuild.160101.0800) 00007FFD04520000-00007FFD04898000 combase.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD02B30000-00007FFD02C41000 ucrtbase.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD034E0000-00007FFD03600000 RPCRT4.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFCC9DA0000-00007FFCC9E2E000 ebehmoni.dll (ESET), version: 1.0.45.0 00007FFD01F90000-00007FFD01FB9000 USERENV.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02A60000-00007FFD02A81000 profapi.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD053B0000-00007FFD0545E000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.22000.434 (WinBuild.160101.0800) 00007FFD052F0000-00007FFD0538E000 sechost.dll (Microsoft Corporation), version: 10.0.22000.556 (WinBuild.160101.0800) 00007FFD050E0000-00007FFD0528C000 USER32.dll (Microsoft Corporation), version: 10.0.22000.282 (WinBuild.160101.0800) 00007FFD02C50000-00007FFD02C76000 win32u.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD04B90000-00007FFD04BB9000 GDI32.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD02C80000-00007FFD02D92000 gdi32full.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD03380000-00007FFD0341D000 msvcp_win.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 00007FFD05460000-00007FFD05491000 IMM32.DLL (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) 000002A533600000-000002A533DAF000 SHELL32.dll (Microsoft Corporation), version: 10.0.22000.593 (WinBuild.160101.0800) 00007FFD00B40000-00007FFD013A8000 windows.storage.dll (Microsoft Corporation), version: 10.0.22000.593 (WinBuild.160101.0800) 00007FFD009D0000-00007FFD00B36000 wintypes.dll (Microsoft Corporation), version: 10.0.22000.527 (WinBuild.160101.0800) 00007FFD05510000-00007FFD055FA000 SHCORE.dll (Microsoft Corporation), version: 10.0.22000.613 (WinBuild.160101.0800) 00007FFD05290000-00007FFD052ED000 shlwapi.dll (Microsoft Corporation), version: 10.0.22000.1 (WinBuild.160101.0800) Process Trace 1 C:\Windows\System32\cmd.exe [17260] C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -command "chcp 65001;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.Xml 2 D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [2464] "D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe" --type=renderer --user-data-dir="C:\Users\JXY\AppData\Roaming\koodo-reader" --app-path="D:\Users\JXY\AppData\Local\Programs\Koodo Reader\resources\app.asar" --no-sandbox --no-zygote --fiel 3 D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] "D:\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe" "E:\book\novel\test1.epub" 4 C:\Windows\explorer.exe [9252] Dropped Files 1 C:\Users\JXY\AppData\Roaming\koodo-reader\Local Storage\leveldb\LOG.old~RF245043.TMP Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 2 C:\Users\JXY\AppData\Roaming\koodo-reader\Local Storage\leveldb\LOG Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 3 C:\Users\JXY\AppData\Local\Temp\fb556d02-3d20-4fce-98f5-e3ff9c049ea8.tmp Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 4 C:\Users\JXY\AppData\Roaming\koodo-reader\IndexedDB\file__0.indexeddb.leveldb\LOG.old~RF24568d.TMP Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 5 C:\Users\JXY\AppData\Roaming\koodo-reader\IndexedDB\file__0.indexeddb.leveldb\LOG Dropped by \Device\HarddiskVolume2\Users\JXY\AppData\Local\Programs\Koodo Reader\Koodo Reader.exe [6040] 1 C:\Users\JXY\AppData\Local\Microsoft\Windows\INetCache\IE\3B0S0GKS\LightRainV3[1].png Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 2 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\test.epub.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 3 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\novel.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] 4 C:\Users\JXY\AppData\Roaming\Microsoft\Windows\Recent\test1.epub.lnk Dropped by \Device\HarddiskVolume9\Windows\explorer.exe [9252] Thumbprints c76397598889dfd9c052a3cf995bb2645e873f667b0799a57be6d7515eed0863 And I'm a little curious why an Electron app like this gets the Office category instead of the browser category.
HitmanPro.Alert 3.8.21 Build 941 Release Candidate Changelog (compared to 939) Updated third-party libraries Improved HeapHeapProtect to overrule a Thumbprint when a backdoor stager is detected Improved CookieGuard so it now adds certificate validation information into the alert details Improved SysCall mitigation with additional Thumbprints Improved SysCall mitigation so it can a handle misaligned stack Improved SysCall alert which now includes the full path of the object from which the syscall originated Fixed a compatibility issue between our anti-ransomware CryptoGuard 5 and Artisan scrapping book software from Forever Storage Fixed a BSOD occurring in WipeGuard when terminating an offending process Fixed a false positive on BitLocker in our WipeGuard boot sector protection Download https://dl.surfright.nl/hmpalert3b941.exe Please let us know how this version runs on your machine, thanks!