HitmanPro.ALERT Support and Discussion Thread

I'll check it out tomorrow in the office

 

I'll check it out tomorrow in the office

 

Fortnite and Battlefield 2042 seem to be incompatible with Keystroke Encryption protection. Not able to control the character/game at all, the input will be random. Running latest Windows 10 build with HMPA build 2019. Disabling Keystroke Encryption fixes the issue.

 

explorer.exe crashed while playing Battlefield. I have a .dmp file if needed.

Code:

Faulting application name: Explorer.EXE, version: 10.0.19041.5607, time stamp: 0xda344284
Faulting module name: hmpalert.dll, version: 3.20.2.2019, time stamp: 0x67ac7d7d
Exception code: 0xc0000005
Fault offset: 0x000000000002a266
Faulting process id: 0xfa4
Faulting application start time: 0x01db94ebc98c60fd
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Windows\system32\hmpalert.dll
Report Id: 40a11ed7-7a56-48a9-bf0f-b6b693877990
Faulting package full name:
Faulting package-relative application ID: 

No other security apps except Windows Firewall Control.

 

How are these started? e.g. Steam? and did you add them to a specific Mitigation profile? there is no global Keystroke Encryption so it looks like it's been added to the wrong template.

 

Can you share that somewhere and DM me for the link.

 

BF2042 is started via steam, then steam launches the EA Desktop app for authentication. Fortnite is started via Epic Games Launcher. I don't see any of these games as "protected" under the mitigations section.

DM sent

 

It seems HMP.A still messes with Windows start up sound on Win10.

 

After having Firefox 136.0.1 become completely unresponsive on my desktop, and 8 Gadget Pack + HiBit Uninstaller having the same unresponsiveness on my laptop I have decided to uninstall Alert once again. I never had those issues before reinstalling HMP.A.

Thank you for your time, @RonnyT .

 

Krusty, do you see this happening on Firefox when trying to print a Web page? How about at other times? FF freezes on me often when trying to print a Web page to PDF, but only in that situation.

The workaround that I've found for when that happens is to open a different browser, maximized, and then select FF again from the taskbar. (Strangely, it doesn't seem to do the trick to click on another browser if its window isn't maximized.) Then everything becomes functional again (until the unpredictable next time).

 

No, I was watching videos on YouTube when FF froze on me.

 

You'll have to tick ours off, we can't make this compatible, it's up to them to take care of keyloggers.

 

If you want to troubleshoot this my first action is going in to Risk Reduction Process protection and disable
- Unexpected system calls
- C2 Interceptor
- Hardware Breakpoint Guard
Those modules had the most changes recently.

And then see if it reproduces, if that still does, then untick all on that panel and try again, perhaps we can narrow down which feature is the root-cause.
As these are global/machine wide protections I'd advise a restart after changing settings to be on the safe side of chasing ghosts.

 

Thanks @RonnyT, that did the trick. All that was needed after disabling Keystroke Encryption was to close and then restart the Norton Browser.

Much appreciated!

 

That's the reason I stopped using HMPA in the past, because it broke Sandboxie.

Yes, I read the article about how CryptoGuard works, very impressive. Do you believe that AppCheck works about the same? It claims to offer 100% signatureless detection (Context-aware ransomware detection).

https://www.checkmal.com

 

BTW, I forgot to ask if you guys already monitored PoolParty (thread pool) process injection? It's crazy to think about how many ways there are to inject code in Windows. It's almost like M$ intentionally designed Windows to make stuff easy for malware LOL. I believe in macOS it's possible too, but at least Apple has hardened it against certain code injection methods.

https://thehackernews.com/2023/12/new-poolparty-process-injection.html

 

Are you still there Ronny? You didn't respond to my last posts.

BTW, I have a couple of questions, does HMPA's keystroke encryption work correctly on Win 11? According to the developers of SpyShelter, they can't offer keystroke encryption because of certain design changes in Win 11.

I also wonder if HMPA still offers protection agains banking trojans, see link. I remember that originally HMPA was designed to protect against banking trojans, and later it evolved into anti-exploit and anti-ransomware.

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

 

Yes it does, just checked against the latest Canary.
Oh it looks like latest 24H2 does not, we'll have a look. Actually it does, but I noticed a glitch so we might need some tweaking.

 

Mitigation CookieGuard
Timestamp 2025-07-23T09:25:55

Platform 10.0.26100/x64 v2019 06_8e
PID 8976
Feature 00FD3E745FBF91B6
Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created 2025-07-18T02:45:06
Description Microsoft Edge 138

Cookie data retrieval performed by untrusted code in browser
Attempt to read protected Edge data
Caller originates from module: C:\Program Files (x86)\Microsoft\Edge\Application\138.0.3351.95\msedge.dll
Certhash could not be obtained for owner-module
ErrorCode: 0000018a

Loaded Modules (66)
-----------------------------------------------------------------------------
00007FF7F2DE0000-00007FF7F31E2000 msedge.exe (Microsoft Corporation),
version: 138.0.3351.95
00007FF880BE0000-00007FF880E47000 ntdll.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87F1D0000-00007FF87F299000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DAA0000-00007FF87DBD9000 hmpalert.dll (Sophos B.V.),
version: 3.20.2.2019
00007FF87DF20000-00007FF87E310000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF829EA0000-00007FF82A259000 msedge_elf.dll (Microsoft Corporation),
version: 138.0.3351.95
00007FF87EB90000-00007FF87EC70000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E8C0000-00007FF87E963000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DDD0000-00007FF87DF1B000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8806F0000-00007FF880A75000 combase.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF880A80000-00007FF880B98000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E760000-00007FF87E7F9000 bcryptprimitives.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF86C8D0000-00007FF86C8DB000 version.dll (Microsoft Corporation),
version: 10.0.26100.1150 (WinBuild.160101.0800)
00007FF87EAE0000-00007FF87EB89000 msvcrt.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF880630000-00007FF8806E4000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.26100.4652 (WinBuild.160101.0800)
00007FF8802C0000-00007FF880366000 sechost.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87CA50000-00007FF87CA86000 ntmarta.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF818E40000-00007FF829E99000 msedge.dll (Microsoft Corporation),
version: 138.0.3351.95
00007FF85CD70000-00007FF85CDA5000 WINMM.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF87EC80000-00007FF87EE45000 USER32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DDA0000-00007FF87DDC7000 win32u.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E9E0000-00007FF87EA0B000 GDI32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E620000-00007FF87E758000 gdi32full.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87EA10000-00007FF87EA3F000 IMM32.DLL (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF8777F0000-00007FF87789F000 uxtheme.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87F8A0000-00007FF87FA40000 ole32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87C920000-00007FF87C93B000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87FAA0000-00007FF87FB48000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
00007FF840530000-00007FF840549000 Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll (Microsoft Corporation),
version: 10.0.26100.4061 (WinBuild.160101.0800)
00007FF875D10000-00007FF875D1F000 DiagnosticDataSettings.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8720F0000-00007FF872120000 coreprivacysettingsstore.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87CF80000-00007FF87CFAB000 USERENV.dll (Microsoft Corporation),
version: 10.0.26100.2454 (WinBuild.160101.0800)
00007FF87CF50000-00007FF87CF77000 gpapi.dll (Microsoft Corporation),
version: 10.0.26100.3323 (WinBuild.160101.0800)
00007FF87EF50000-00007FF87EFBA000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF880420000-00007FF880515000 shcore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872A70000-00007FF872A8B000 wkscli.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87C290000-00007FF87C29D000 netutils.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87F730000-00007FF87F891000 MSCTF.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF840510000-00007FF840526000 AssignedAccessRuntime.dll (Microsoft Corporation),
version: 10.0.26100.1150 (WinBuild.160101.0800)
00007FF87DA30000-00007FF87DA8E000 powrprof.dll (Microsoft Corporation),
version: 10.0.26100.3912 (WinBuild.160101.0800)
00007FF87DA10000-00007FF87DA24000 UMPDC.dll (Microsoft Corporation),
version: 10.0.26100.1301 (WinBuild.160101.0800)
00007FF859D10000-00007FF859E20000 SystemSettings.DataModel.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF873D00000-00007FF873F6B000 DWrite.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87C0D0000-00007FF87C0FD000 slc.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87B7A0000-00007FF87BFFF000 windows.storage.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87FB70000-00007FF8802BD000 SHELL32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E320000-00007FF87E493000 wintypes.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8803A0000-00007FF880414000 WS2_32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DC30000-00007FF87DC59000 profapi.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87CBB0000-00007FF87CBF9000 SspiCli.dll (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF85CAD0000-00007FF85CD6A000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
00007FF87E4A0000-00007FF87E617000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF869B70000-00007FF86A1B4000 OneCoreUAPCommonProxyStub.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87D750000-00007FF87D7A7000 CFGMGR32.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF8685B0000-00007FF868676000 StructuredQuery.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF862860000-00007FF862AFE000 icu.dll (The ICU Project),
version: 72, 1, 0, 4 (WinBuild.160101.0800)
00007FF876E80000-00007FF876F8D000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF875A90000-00007FF875B54000 Windows.StateRepositoryPS.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872840000-00007FF8729C1000 Windows.System.Launcher.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF867A80000-00007FF867A9A000 windows.staterepositorycore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872AF0000-00007FF872BB2000 Windows.FileExplorer.Common.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8672B0000-00007FF867300000 windows.staterepositoryclient.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872700000-00007FF87283B000 Windows.Storage.Search.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF875C70000-00007FF875C9F000 cldapi.dll (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF872AC0000-00007FF872AE9000 edputil.dll (Microsoft Corporation),
version: 10.0.26100.3037 (WinBuild.160101.0800)
00007FF869030000-00007FF8690CB000 Windows.Web.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)

Dropped Files
1 C:\Users\pauld\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6880AA84-2310.pma
Dropped by \Device\HarddiskVolume6\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8976]
2 C:\Users\pauld\AppData\Local\Microsoft\Edge\User Data\Variations
Dropped by \Device\HarddiskVolume6\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8976]

Thumbprints
N/A

 

Can you upload this one to Virustotal?
C:\Program Files (x86)\Microsoft\Edge\Application\138.0.3351.95\msedge.dll

And does the alert stick over a reboot?