HitmanPro.ALERT Support and Discussion Thread

I'll check it out tomorrow in the office

 

I'll check it out tomorrow in the office

 

Fortnite and Battlefield 2042 seem to be incompatible with Keystroke Encryption protection. Not able to control the character/game at all, the input will be random. Running latest Windows 10 build with HMPA build 2019. Disabling Keystroke Encryption fixes the issue.

 

explorer.exe crashed while playing Battlefield. I have a .dmp file if needed.

Code:

Faulting application name: Explorer.EXE, version: 10.0.19041.5607, time stamp: 0xda344284
Faulting module name: hmpalert.dll, version: 3.20.2.2019, time stamp: 0x67ac7d7d
Exception code: 0xc0000005
Fault offset: 0x000000000002a266
Faulting process id: 0xfa4
Faulting application start time: 0x01db94ebc98c60fd
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Windows\system32\hmpalert.dll
Report Id: 40a11ed7-7a56-48a9-bf0f-b6b693877990
Faulting package full name:
Faulting package-relative application ID: 

No other security apps except Windows Firewall Control.

 

How are these started? e.g. Steam? and did you add them to a specific Mitigation profile? there is no global Keystroke Encryption so it looks like it's been added to the wrong template.

 

Can you share that somewhere and DM me for the link.

 

BF2042 is started via steam, then steam launches the EA Desktop app for authentication. Fortnite is started via Epic Games Launcher. I don't see any of these games as "protected" under the mitigations section.

DM sent

 

It seems HMP.A still messes with Windows start up sound on Win10.

 

After having Firefox 136.0.1 become completely unresponsive on my desktop, and 8 Gadget Pack + HiBit Uninstaller having the same unresponsiveness on my laptop I have decided to uninstall Alert once again. I never had those issues before reinstalling HMP.A.

Thank you for your time, @RonnyT .

 

Krusty, do you see this happening on Firefox when trying to print a Web page? How about at other times? FF freezes on me often when trying to print a Web page to PDF, but only in that situation.

The workaround that I've found for when that happens is to open a different browser, maximized, and then select FF again from the taskbar. (Strangely, it doesn't seem to do the trick to click on another browser if its window isn't maximized.) Then everything becomes functional again (until the unpredictable next time).

 

No, I was watching videos on YouTube when FF froze on me.

 

You'll have to tick ours off, we can't make this compatible, it's up to them to take care of keyloggers.

 

If you want to troubleshoot this my first action is going in to Risk Reduction Process protection and disable
- Unexpected system calls
- C2 Interceptor
- Hardware Breakpoint Guard
Those modules had the most changes recently.

And then see if it reproduces, if that still does, then untick all on that panel and try again, perhaps we can narrow down which feature is the root-cause.
As these are global/machine wide protections I'd advise a restart after changing settings to be on the safe side of chasing ghosts.

 

Thanks @RonnyT, that did the trick. All that was needed after disabling Keystroke Encryption was to close and then restart the Norton Browser.

Much appreciated!

 

That's the reason I stopped using HMPA in the past, because it broke Sandboxie.

Yes, I read the article about how CryptoGuard works, very impressive. Do you believe that AppCheck works about the same? It claims to offer 100% signatureless detection (Context-aware ransomware detection).

https://www.checkmal.com

 

BTW, I forgot to ask if you guys already monitored PoolParty (thread pool) process injection? It's crazy to think about how many ways there are to inject code in Windows. It's almost like M$ intentionally designed Windows to make stuff easy for malware LOL. I believe in macOS it's possible too, but at least Apple has hardened it against certain code injection methods.

https://thehackernews.com/2023/12/new-poolparty-process-injection.html

 

Are you still there Ronny? You didn't respond to my last posts.

BTW, I have a couple of questions, does HMPA's keystroke encryption work correctly on Win 11? According to the developers of SpyShelter, they can't offer keystroke encryption because of certain design changes in Win 11.

I also wonder if HMPA still offers protection agains banking trojans, see link. I remember that originally HMPA was designed to protect against banking trojans, and later it evolved into anti-exploit and anti-ransomware.

https://unit42.paloaltonetworks.com/banking-trojan-techniques/

 

Yes it does, just checked against the latest Canary.
Oh it looks like latest 24H2 does not, we'll have a look. Actually it does, but I noticed a glitch so we might need some tweaking.

 

Mitigation CookieGuard
Timestamp 2025-07-23T09:25:55

Platform 10.0.26100/x64 v2019 06_8e
PID 8976
Feature 00FD3E745FBF91B6
Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created 2025-07-18T02:45:06
Description Microsoft Edge 138

Cookie data retrieval performed by untrusted code in browser
Attempt to read protected Edge data
Caller originates from module: C:\Program Files (x86)\Microsoft\Edge\Application\138.0.3351.95\msedge.dll
Certhash could not be obtained for owner-module
ErrorCode: 0000018a

Loaded Modules (66)
-----------------------------------------------------------------------------
00007FF7F2DE0000-00007FF7F31E2000 msedge.exe (Microsoft Corporation),
version: 138.0.3351.95
00007FF880BE0000-00007FF880E47000 ntdll.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87F1D0000-00007FF87F299000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DAA0000-00007FF87DBD9000 hmpalert.dll (Sophos B.V.),
version: 3.20.2.2019
00007FF87DF20000-00007FF87E310000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF829EA0000-00007FF82A259000 msedge_elf.dll (Microsoft Corporation),
version: 138.0.3351.95
00007FF87EB90000-00007FF87EC70000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E8C0000-00007FF87E963000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DDD0000-00007FF87DF1B000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8806F0000-00007FF880A75000 combase.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF880A80000-00007FF880B98000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E760000-00007FF87E7F9000 bcryptprimitives.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF86C8D0000-00007FF86C8DB000 version.dll (Microsoft Corporation),
version: 10.0.26100.1150 (WinBuild.160101.0800)
00007FF87EAE0000-00007FF87EB89000 msvcrt.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF880630000-00007FF8806E4000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.26100.4652 (WinBuild.160101.0800)
00007FF8802C0000-00007FF880366000 sechost.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87CA50000-00007FF87CA86000 ntmarta.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF818E40000-00007FF829E99000 msedge.dll (Microsoft Corporation),
version: 138.0.3351.95
00007FF85CD70000-00007FF85CDA5000 WINMM.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF87EC80000-00007FF87EE45000 USER32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DDA0000-00007FF87DDC7000 win32u.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E9E0000-00007FF87EA0B000 GDI32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E620000-00007FF87E758000 gdi32full.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87EA10000-00007FF87EA3F000 IMM32.DLL (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF8777F0000-00007FF87789F000 uxtheme.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87F8A0000-00007FF87FA40000 ole32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87C920000-00007FF87C93B000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87FAA0000-00007FF87FB48000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
00007FF840530000-00007FF840549000 Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll (Microsoft Corporation),
version: 10.0.26100.4061 (WinBuild.160101.0800)
00007FF875D10000-00007FF875D1F000 DiagnosticDataSettings.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8720F0000-00007FF872120000 coreprivacysettingsstore.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87CF80000-00007FF87CFAB000 USERENV.dll (Microsoft Corporation),
version: 10.0.26100.2454 (WinBuild.160101.0800)
00007FF87CF50000-00007FF87CF77000 gpapi.dll (Microsoft Corporation),
version: 10.0.26100.3323 (WinBuild.160101.0800)
00007FF87EF50000-00007FF87EFBA000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF880420000-00007FF880515000 shcore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872A70000-00007FF872A8B000 wkscli.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87C290000-00007FF87C29D000 netutils.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87F730000-00007FF87F891000 MSCTF.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF840510000-00007FF840526000 AssignedAccessRuntime.dll (Microsoft Corporation),
version: 10.0.26100.1150 (WinBuild.160101.0800)
00007FF87DA30000-00007FF87DA8E000 powrprof.dll (Microsoft Corporation),
version: 10.0.26100.3912 (WinBuild.160101.0800)
00007FF87DA10000-00007FF87DA24000 UMPDC.dll (Microsoft Corporation),
version: 10.0.26100.1301 (WinBuild.160101.0800)
00007FF859D10000-00007FF859E20000 SystemSettings.DataModel.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF873D00000-00007FF873F6B000 DWrite.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87C0D0000-00007FF87C0FD000 slc.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)
00007FF87B7A0000-00007FF87BFFF000 windows.storage.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87FB70000-00007FF8802BD000 SHELL32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87E320000-00007FF87E493000 wintypes.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8803A0000-00007FF880414000 WS2_32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87DC30000-00007FF87DC59000 profapi.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87CBB0000-00007FF87CBF9000 SspiCli.dll (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF85CAD0000-00007FF85CD6A000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
00007FF87E4A0000-00007FF87E617000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF869B70000-00007FF86A1B4000 OneCoreUAPCommonProxyStub.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF87D750000-00007FF87D7A7000 CFGMGR32.dll (Microsoft Corporation),
version: 10.0.26100.4202 (WinBuild.160101.0800)
00007FF8685B0000-00007FF868676000 StructuredQuery.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF862860000-00007FF862AFE000 icu.dll (The ICU Project),
version: 72, 1, 0, 4 (WinBuild.160101.0800)
00007FF876E80000-00007FF876F8D000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.26100.4768 (WinBuild.160101.0800)
00007FF875A90000-00007FF875B54000 Windows.StateRepositoryPS.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872840000-00007FF8729C1000 Windows.System.Launcher.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF867A80000-00007FF867A9A000 windows.staterepositorycore.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872AF0000-00007FF872BB2000 Windows.FileExplorer.Common.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF8672B0000-00007FF867300000 windows.staterepositoryclient.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF872700000-00007FF87283B000 Windows.Storage.Search.dll (Microsoft Corporation),
version: 10.0.26100.4768 (WinBuild.160101.0800)
00007FF875C70000-00007FF875C9F000 cldapi.dll (Microsoft Corporation),
version: 10.0.26100.4484 (WinBuild.160101.0800)
00007FF872AC0000-00007FF872AE9000 edputil.dll (Microsoft Corporation),
version: 10.0.26100.3037 (WinBuild.160101.0800)
00007FF869030000-00007FF8690CB000 Windows.Web.dll (Microsoft Corporation),
version: 10.0.26100.1882 (WinBuild.160101.0800)

Dropped Files
1 C:\Users\pauld\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6880AA84-2310.pma
Dropped by \Device\HarddiskVolume6\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8976]
2 C:\Users\pauld\AppData\Local\Microsoft\Edge\User Data\Variations
Dropped by \Device\HarddiskVolume6\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [8976]

Thumbprints
N/A

 

Can you upload this one to Virustotal?
C:\Program Files (x86)\Microsoft\Edge\Application\138.0.3351.95\msedge.dll

And does the alert stick over a reboot?

 

I just got this:

Code:

Mitigation   Kernel32Trap
Timestamp    2025-08-07T22:27:53

Platform     10.0.19045/x64 v2019 06_5e
PID          3124
WoW          x86
Feature      00FD2E70000001A6
Application  C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.21\ksde.exe
Created      2025-04-23T22:17:04
Description  Kaspersky Lab launcher 1.0

Callee Type  GetProcAddress

Caller info: ushata.dll+0x13B8F
Root owner module name : ushata.dll
59FD3B8F  8bf0                     MOV          ESI, EAX
59FD3B91  c745fc01000000           MOV          DWORD [EBP-0x4], 0x1
59FD3B98  8b0db4bd005a             MOV          ECX, [0x5a00bdb4]
59FD3B9E  85c9                     TEST         ECX, ECX
59FD3BA0  7405                     JZ           0x59fd3ba7
59FD3BA2  ff75b8                   PUSH         DWORD [EBP-0x48]
59FD3BA5  ffd1                     CALL         ECX
59FD3BA7  8bc6                     MOV          EAX, ESI
59FD3BA9  e854210200               CALL         0x59ff5d02
59FD3BAE  c20800                   RET          0x8

Code thumbprint:c864e3f11da488d7db5ab94a29f591e5beeb864558b3f9e294c99f000592f248
Number of used instructions: 0x0000000a
OwnerModuleThumbprint: e910ee949dbfb148793d49ab40740592ac5ff21ba0d5e95a5719cb55abf61d2d

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  741D0B0D hmpalert.dll             +0x50b0d

2  59FD3B8F ushata.dll             
            8bf0                     MOV          ESI, EAX
            c745fc01000000           MOV          DWORD [EBP-0x4], 0x1
            8b0db4bd005a             MOV          ECX, [0x5a00bdb4]
            85c9                     TEST         ECX, ECX
            7405                     JZ           0x59fd3ba7
            ff75b8                   PUSH         DWORD [EBP-0x48]
            ffd1                     CALL         ECX
            8bc6                     MOV          EAX, ESI
            e854210200               CALL         0x59ff5d02
            c20800                   RET          0x8

3  59FC20C6 ushata.dll             
4  59FDA75F ushata.dll             
5  59FD4F7C ushata.dll             
6  59FD50F3 ushata.dll             
7  59FC1530 ushata.dll               UshataInitializeForService +0xbc
8  5A0254FC ksde.dll                 Run +0x16c
9  002B162F ksde.exe               
10 7590FCC9 kernel32.dll             BaseThreadInitThunk +0x19

Loaded Modules (23)
-----------------------------------------------------------------------------
002B0000-002B6000 KSDE.exe (AO Kaspersky Lab),
                  version: 1.0.0.0
771C0000-77364000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
74180000-742B2000 hmpalert.dll (Sophos B.V.),
                  version: 3.20.2.2019
74160000-7417A000 aswhook.dll (Gen Digital Inc.),
                  version: 25.7.10308.0
758F0000-759E0000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.5915 (WinBuild.160101.0800)
76800000-76A39000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
76780000-767FD000 ADVAPI32.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
76240000-762FF000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.19041.3636 (WinBuild.160101.0800)
761A0000-76217000 sechost.dll (Microsoft Corporation),
                  version: 10.0.19041.5915 (WinBuild.160101.0800)
77060000-7711C000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.19041.5915 (WinBuild.160101.0800)
76BE0000-76BF9000 bcrypt.dll (Microsoft Corporation),
                  version: 10.0.19041.5438 (WinBuild.160101.0800)
740C0000-7415F000 0patchLoader.dll (Acros Security),
                  version: 22.11.11.10550
76300000-7649C000 USER32.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
77040000-77058000 win32u.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
77120000-77143000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.19041.5737 (WinBuild.160101.0800)
764A0000-76587000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.19041.6093 (WinBuild.160101.0800)
75840000-758BB000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.19041.3636 (WinBuild.160101.0800)
75210000-75330000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.19041.3636 (WinBuild.160101.0800)
748F0000-748F8000 VERSION.dll (Microsoft Corporation),
                  version: 10.0.19041.3636 (WinBuild.160101.0800)
74090000-740B9000 ntmarta.dll (Microsoft Corporation),
                  version: 10.0.19041.3636 (WinBuild.160101.0800)
5A020000-5A04C000 ksde.dll (AO Kaspersky Lab),
                  version: 21.21.7.384
59FC0000-5A012000 ushata.dll (AO Kaspersky Lab),
                  version: 21.21.7.384
59F90000-59FBB000 product_info.dll (AO Kaspersky Lab),
                  version: 21.21.7.384

Process Trace
1  C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.21\ksde.exe [3124]
   "C:\Program Files (x86)\Kaspersky Lab\Kaspersky VPN 5.21\KSDE.exe" -hidden -nsp export "C:\WINDOWS\TEMP\{AD742A07-CA0B-417C-B107-0CEA0F62BF61}\install.cfg"
2  C:\Windows\SysWOW64\msiexec.exe [3496]
   C:\Windows\syswow64\MsiExec.exe -Embedding 23881CAAD5726DC155C13F0386D72C89 E Global\MSI0000
3  C:\Windows\System32\msiexec.exe [15204]
4  C:\Windows\System32\services.exe [808]
5  C:\Windows\System32\wininit.exe [944]
   wininit.exe

Services
15204  msiserver

Dropped Files
1  C:\WINDOWS\Installer\5bb8f5.msi
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by  [4]
2  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
3  C:\WINDOWS\Installer\MSIBB37.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
4  C:\WINDOWS\Installer\MSIBE64.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
5  C:\WINDOWS\Installer\MSIBEE2.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
6  C:\WINDOWS\Installer\MSIBF60.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
7  C:\WINDOWS\Installer\MSIC174.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
8  C:\WINDOWS\Installer\MSIC3F6.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
9  C:\WINDOWS\Installer\MSIC86C.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
10 C:\WINDOWS\Installer\MSICACE.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
11 C:\WINDOWS\Installer\inprogressinstallinfo.ipi
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
12 C:\WINDOWS\Installer\SourceHash{9F116269-28EB-3387-A5F3-B77B5363F5A3}
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
13 C:\WINDOWS\Installer\MSICD30.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
14 C:\WINDOWS\Installer\MSICD9F.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
15 C:\WINDOWS\Installer\MSICE9A.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
16 C:\WINDOWS\Installer\MSID031.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
17 C:\WINDOWS\Installer\MSID255.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
18 C:\Config.Msi\CMPD4AA.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]
19 C:\Config.Msi\5bb8f8.rbs
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [15204]

Thumbprints
ae19d2fa1359779e3f4fede6df817b75beb2078faf5ab1c3b7c26cac55a0f449 (orig)
c864e3f11da488d7db5ab94a29f591e5beeb864558b3f9e294c99f000592f248 (code)
e910ee949dbfb148793d49ab40740592ac5ff21ba0d5e95a5719cb55abf61d2d (ownermodule)

 

If that's consistent you need to add ksde.exe to exploit mitigation -> Exclude.
The applications blindly assumes that kernel32.dll is on the first spot without using the normal way to resolve that info.
Hence hit's our trap.

 

Hi Ronny,

I have added the exclusion. I think Kaspersky VPN was updating at the time.

Thanks,
Dave