I just got this on boot of my machine, even before the log in screen appeared: Code: Mitigation HeapHeapProtect Timestamp 2023-11-24T18:48:24 Platform 10.0.19045/x64 v971 06_5e PID 6912 Service XTU3SERVICE Feature 00FD2E70000001AE Application C:\Windows\SysWOW64\XtuService.exe Created 2021-02-24T00:19:30 Description XtuService 7.3 Callee Type ProtectVirtualMemory 0x0000019A6E9F2000 (23004 bytes) Shellcode (HHP) (0x000059DC bytes : start at 0000019A6E9F2000) Target address info: XtuApplicationInterfaces.dll Owner of CALLER: (anonymous; allocated by 00007FFE04F9C0AA, clr.dll) OwnerModule Name clr.dll Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll Thumbprint 11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 SHA-256 157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94 SHA-1 dbd9928c7e19ec7842015482b56094602c4f5cff MD5 b53e50ccbb014395c303f0cda37ce44d Current process is signed OwnerModule is signed 00007FFDA5831E86 ffd0 CALL RAX 00007FFDA5831E88 488b5580 MOV RDX, [RBP-0x80] 00007FFDA5831E8C c6420c01 MOV BYTE [RDX+0xc], 0x1 00007FFDA5831E90 833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0 00007FFDA5831E97 7406 JZ 0x7ffda5831e9f 00007FFDA5831E99 ff1589d3f35f CALL QWORD [RIP+0x5ff3d389] 00007FFDA5831E9F 894598 MOV [RBP-0x68], EAX 00007FFDA5831EA2 837d9800 CMP DWORD [RBP-0x68], 0x0 00007FFDA5831EA6 0f95c0 SETNZ AL 00007FFDA5831EA9 0fb6c0 MOVZX EAX, AL 00007FFDA5831EAC 89459c MOV [RBP-0x64], EAX 00007FFDA5831EAF 90 NOP 00007FFDA5831EB0 90 NOP 00007FFDA5831EB1 90 NOP 00007FFDA5831EB2 90 NOP 00007FFDA5831EB3 90 NOP ----- SNIP HERE ----- AAApAQAQg6X9fwAAhh6Dpf1/AAAAEIOl/X8AAABwAwAASGPJSANN4ItV2Ehj0kgDykiJTcBpjXz///9oFjNxgfF6H5bfiY1s////6Z75//9Ii41I/v//ug8AAABIO1EIcgXoeVKrX0iNTJEQiwlIi5VA/v//uA8AAABIO0IIcgXoW1KrX0iNVIIQMwqJjQj///9Ii41I/v//uA8AAABIO0EIcgXoN1KrX0iNTIEQi5UI////iRFpjXz////M74KLgfGE54sYiY1s////6R35//+LTbjBwRuJTbxpjXz///+Rk0o5gfGub2R5iY1s////6fn4//9Ii41I/v//uggAAABIO1EIcgXo1FGrX0iNTJEQiwlIi5VA/v//uAgAAABIO0IIcgXotlGrX0iNVIIQAwqJjfj+//9Ii41I/v//uAgAAABIO0EIcgXoklGrX0iNTIEQi5X4/v//iRFpjXz///8jkfe0gfGgShZLiY1s////6Xj4//9Ii41I/v//ugIAAABIO1EIcgXoU1GrX0iNTJEQiwlIi5VA/v//uAIAAABIO0IIcgXoNVGrX0iNVIIQAwqJjeT+//9Ii41I/v//uAIAAABIO0EIcgXoEVGrX0iNTIEQi5Xk/v//iRFIi41I/v//ugMAAABIO1EIcgXo7VCrX0iNTJEQiwlIi5VA/v//uAMAAABIO0IIcgXoz1CrX0iNVIIQMwqJjeD+//9Ii41I/v//uAMAAABIO0EIcgXoq1CrX0iNTIEQi5Xg/v//iRFIi41I/v//ugQAAABIO1EIcgXoh1CrX0iNTJEQiwlIi5VA/v//uAQAAABIO0IIcgXoaVCrX0iNVIIQD68KiY3c/v//SIuNSP7//7gEAAAASDtBCHIF6ERQq19IjUyBEIuV3P7//4kRaY18////5lfqIYHxnW9oPImNbP///+kq9///M8mJTYBpjXz///9ElFyQgfFbBKkYiY1s////6Qr3//9IuTJtRgP+fwAAuhAAAADoqO17X0iJhRj+//9Ii40Y/v//SImNSP7//2mNfP///7d3kQmB8TaIceiJjWz////pxvb//8dFvDpNIUHHRbiqiZhGaY18////jRwkfIHxUF4DIYmNbP///+md9v//i02UiU2waY18////LvMXvYHxWI9xLYmNbP///+l89v//M8mJTYTHhWz////g3Wsa6Wj2///HRbBsTz6kaY18////Xa6NXIHxvIZoZYmNbP///+lG9v//i02YO02ccxbHhRD////nhPgFx4UM////54T4BesUx4UQ////GmYnWseFDP///xpmJ1qLjRD///+JjWz////pA/b//0iLjVD+//8z0jkJ6PVu1l8Pt8iJjaD+//+DvaD+//88D5TBD7bJiY3U/v//6wgzwImF1P7//4uN1P7//w+2yYlN9EiLjVj+///op/sUXkiJhcj+//9Ii43I/v//6LSjHV5IiYXA/v//SIuNwP7//0iJTehIi03ouDwAAABIY8CLDAFIY8lIA03oSIlN4MeFbP/////TrS3pZ/X//0iLjUj+//+4CwAAAEg7QQhyBehCTqtfSI1MgRCLCUiLhUD+//+6CwAAAEg7UAhyBegkTqtfSI1EkBADCImNrP7//0iLjUj+//+6CwAAAEg7UQhyBegATqtfSI1MkRCLhaz+//+JAUiLjUj+//+4DAAAAEg7QQhyBejcTatfSI1MgRCLCUiLhUD+//+6DAAAAEg7UAhyBei+TatfSI1EkBAzCImNqP7//0iLjUj+//+6DAAAAEg7UQhyBeiaTatfSI1MkRCLhaj+//+JAWmNfP///4TL5SKB8Tabew+JjWz////pgPT//0iLjUj+//8zwEg7QQhyBeheTatfSI1MgRCLCUiLhUD+//8z0kg7UAhyBehDTatfSI1EkBAzCImNaP7//0iLjUj+//8z0kg7UQhyBegiTatfSI1MkRCLhWj+//+JAWmNfP///3wI/fqB8dA50lSJjWz////pCPT//4tNvMHBFYlNsGmNfP///6YNR2+B8VfduTOJjWz////p5PP//0iLTaBIiY3w/v//uQQAAABIY8lIA02gSIlNoItNvEiLhfD+//8zCANNuItFtA+vRbADyIlNlItNuIlNvItNtIlNuMeFbP///7xQ4iDpk/P//0iLTehIiY2A/v//SIuNgP7//0iJjXj+//+DffQAdSVIi414/v//SImNcP7//0iLTcC4BAAAAEhjwIsMAYmNbP7//+sjSIuNeP7//0iJjXD+//9Ii03AuAwAAABIY8CLDAGJjWz+//+LjWz+//9IY8lIA41w/v//SIlN0MeFbP///4jzlj7pCfP//zPJiU2QaY18////dhoHBIHxqdSXHImNbP///+np8v//x0WIQAAAAGmNfP///6RdK1KB8UxGB7OJjWz////px/L//0iLjUD+//+LRZBIO0EIcgXopEurX0iNTIEQi0W4iQFpjXz////H1q97gfH/L/eEiY1s////6Y3y//+QSI1l+F9dw0iLjUj+//+4CQAAAEg7QQhyBehgS6tfSI1MgRCLCUiLhUD+//+6CQAAAEg7UAhyBehCS6tfSI1EkBAzCImNLP///0iLjUj+//+6CQAAAEg7UQhyBegeS6tfSI1MkRCLhSz///+JAUiLjUj+//+4CgAAAEg7QQhyBej6SqtfSI1MgRCLCUiLhUD+//+6CgAAAEg7UAhyBejcSqtfSI1EkBAPrwiJjSj///9Ii41I/v//ugoAAABIO1EIcgXot0qrX0iNTJEQi4Uo////iQFpjXz///+j+SfVgfGOG3YViY1s////6Z3x//+LTYD/wYlNgGmNfP///zg7+ieB8bP/NDKJjWz////pevH//8dFtKSlamRpjXz///9xTIjVgfEKkipkiY1s////6Vjx//9Ii03guAYAAABIY8APtwwBiU3caY18////uPoIaYHxAm1YAYmNbP///+kq8f//i02wiU24aY18////JlNhyYHxPKo9NYmNbP///+kJ8f//g32IQHUWx4VE////772DMseFQP///++9gzLrFMeFRP///7Y6MXPHhUD///+2OjFzaY18////efme9TONRP///4mNbP///+m+8P//SIuNUP7//zkJ6HJq1l+Jhdj+//+Dvdj+//8AD47I+v//aYV8////c5Dk+DVx87njiYVs////6YPw//+LRbTBwB2JRbiLRbDBwBmJRbRphXz////spwBRNYosRLeJhWz////pV/D//4N9qAB0FseFjP7//5zL+h7HhYj+//+cy/oe6xTHhYz+//8aZidax4WI/v//GmYnWouFjP7//4mFbP///+kW8P//gX2ofMkhHHUWx4Uk////fRmH6seFIP///30Zh+rrFMeFJP///yGQ4KHHhSD///8hkOChaYV8////RivyEjOFJP///4mFbP///+nI7///M8CJRaxphXz///8uYFjpNRRrTpeJhWz////pqe///0iLhUj+//+LVYSD4g+L0otICEg70XIF6H9Iq19IjUSQEIsASItV0DECSItF0EiJhTj///+4BAAAAEhjwEgDRdBIiUXQSIuFSP7//4tVhIPiD4vSi0gISDvRcgXoO0irX0iNRJAQiwBIi5U4////MwIFGSi7PYmFNP///0iLhUj+//+LVYSD4g+L0otICEg70XIF6ARIq19IjUSQEIuVNP///4kQx4Vs////NoJtPen27v//uCAAAABIY8BIA0XASIlFwItFrP/AiUWsx4Vs////bMW4VunP7v//SIuFSP7//7oNAAAASDtQCHIF6KpHq19IjUSQEIsASIuVQP7//7kNAAAASDtKCHIF6IxHq19IjVSKEA+vAomFBP///0iLhUj+//+5DQAAAEg7SAhyBehnR6tfSI1EiBCLlQT///+JEEiLhUj+//+6DgAAAEg7UAhyBehDR6tfSI1EkBCLAEiLlUD+//+5DgAAAEg7SghyBeglR6tfSI1UihADAomFAP///0iLhUj+//+5DgAAAEg7SAhyBegBR6tfSI1EiBCLlQD///+JEGmFfP///2VXUGg1qvR5PomFbP///+no7f//SItFwEiJhZj+//+4BAAAAEhjwEgDRcBIiUXASItFwEiJhZD+//+4BAAAAEhjwEgDRcBIiUXASIuFmP7//4sASIuVkP7//w+vAolFqMeFbP///2N1zXjpje3//5BIjWX4X13DAAAAAAAAAM8FAACOBgAAZA0AAP8DAADtCwAA4BIAANoMAABQBwAApRAAAKwBAAAWEAAAQw8AAIUSAADMAAAA8w4AAGMJAADxCQAA4A0AAGoKAABDCQAA2gEAAGUMAAAGCwAAhA0AAKYEAADQCQAA0QMAAC0FAACvDwAA9QcAAGMAAABbAgAAiQwAAOwAAAB0BwAANQMAAOkEAACeEQAA6g8AANAOAADPBgAApwkAACcKAACeAgAAFQ8AAHcRAABuBQAAkQUAAFcQAADoDQAAtgMAAIEEAACRAQAApg0AAO0CAAAFCgAAxBAAAGQPAAAPAQAABAYAABkJBAAJAUEAAnABUEAAAAAAAAAAAAAAAPgLi6X9fwAAVUFXQVZBVUFUV1ZTSIHsuAAAAEiNrCTwAAAATImVeP///zPbSIldoEiJTRCJVRhEiUUgTIlNKEiNjUD///9Ji9LoiidpX0iJRYBIi8xIiY1g////SIvNSImNcP///0iLTYBIjYVA////SIlBEEiLjXj////o1/t3X0UzyUSJTcSQTItNEEyJTbiQkESLTRhNY8lMiU2wkJBEi00gTWPJTIlNqJCQTItNKEyJTaCQkJBMi414////uSAAAABIY8lNiwwJTYsJTIlNkJBMi02gSItNuEiLVbBMi0WoRTPbSIuFeP///0iJhVD///9IjQUVAAAASImFaP///0iLRYDGQAwASItFkP/QSItVgMZCDAGDPX229F8AdAb/FYnT81+JRZiDfZgAD5XAD7bAiUWckJCQkJCQkJCQi0WciUWM6wCLRYwPtsBIi1WAxkIMAUiLVYBIi41I////SIlKEEiNZchbXl9BXEFdQV5BX13DAAAZEwoAEwEXAAwwC2AKcAnAB9AF4APwAVBAAAAAAAAAAAAAAAAAAAAAyAyLpf1/AABVV0iB7DgBAABIjawkQAEAAEiNveD+//+5RgAAADPA86uDPegm7/8AdAXoMRarX8dF9MAAAADHRdDnUkZCi0XQNQGN3QiJRcyLRcyJRdSLRcy5JwAAADPS9/GJlUj///+DvUj///8mdx6LlUj///+L0kiNDeAMAACLDJFIjQWf////SAPI/+GQ6cMMAABIi5U4////i03cSDtKCHIF6B5Dq19IjVSKEEiJlSD///+LVdhIi40g////MRFpVdRY8UKNgfIH4Ic3iVXQ6W7///+LVfTB4gKL0ki5yk9GA/5/AP4pAv+5RikDADPA86uDPegm7/8AdAXoMRarX8dF9MAp ----- END SNIP ----- Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFE1CC5C976 KernelBase.dll VirtualProtect +0x36 2 00007FFDA5831E88 (anonymous; clr.dll) 488b5580 MOV RDX, [RBP-0x80] c6420c01 MOV BYTE [RDX+0xc], 0x1 833d7db6f45f00 CMP DWORD [RIP+0x5ff4b67d], 0x0 7406 JZ 0x7ffda5831e9f ff1589d3f35f CALL QWORD [RIP+0x5ff3d389] 894598 MOV [RBP-0x68], EAX 837d9800 CMP DWORD [RBP-0x68], 0x0 0f95c0 SETNZ AL 0fb6c0 MOVZX EAX, AL 89459c MOV [RBP-0x64], EAX 90 NOP 90 NOP 90 NOP 90 NOP 90 NOP 90 NOP 3 00007FFDA5866AF0 (anonymous; clr.dll) 4 00007FFDA5865F1B (anonymous; clr.dll) 5 00007FFE04FF12C3 clr.dll 6 00007FFE04EB961B clr.dll 7 00007FFE04EB95AF clr.dll 8 00007FFE04EB9445 clr.dll 9 00007FFE04EB931C clr.dll 10 00007FFE04EBBA21 clr.dll Loaded Modules (68) ----------------------------------------------------------------------------- 0000019A55510000-0000019A55526000 XtuService.exe (Intel(R) Corporation), version: 7.3.0.33 00007FFE1F070000-00007FFE1F268000 ntdll.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1E9D0000-00007FFE1EA8D000 KERNEL32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE05A60000-00007FFE05AC5000 MSCOREE.DLL (Microsoft Corporation), version: 10.0.19041.1 (WinBuild.160101.0800) 00007FFE1CBF0000-00007FFE1CEE6000 KERNELBASE.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C4B0000-00007FFE1C5F7000 hmpalert.dll (Sophos B.V.), version: 3.8.25.971 00007FFE1EB80000-00007FFE1EC2F000 ADVAPI32.dll (Microsoft Corporation), version: 10.0.19041.3693 (WinBuild.160101.0800) 00007FFE1D0D0000-00007FFE1D16E000 msvcrt.dll (Microsoft Corporation), version: 7.0.19041.3636 (WinBuild.160101.0800) 00007FFE1DA10000-00007FFE1DAAC000 sechost.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1EC60000-00007FFE1ED86000 RPCRT4.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE05850000-00007FFE058EB000 mscoreei.dll (Microsoft Corporation), version: 4.8.9093.0 built by: NET481REL1LAST_C 00007FFE1EFB0000-00007FFE1F005000 SHLWAPI.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1A4E0000-00007FFE1A4F2000 kernel.appcore.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE17AF0000-00007FFE17AFA000 VERSION.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE04E60000-00007FFE05804000 clr.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFE1DDD0000-00007FFE1DF6E000 USER32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1CAC0000-00007FFE1CAE2000 win32u.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1EC30000-00007FFE1EC5C000 GDI32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C750000-00007FFE1C86A000 gdi32full.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1CA20000-00007FFE1CABD000 msvcp_win.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1CAF0000-00007FFE1CBF0000 ucrtbase.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE04E50000-00007FFE04E5C000 VCRUNTIME140_1_CLR0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFE04E30000-00007FFE04E4B000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFE04D60000-00007FFE04E2D000 ucrtbase_clr0400.dll (Microsoft Corporation), version: 14.32.31326.0 00007FFE1D8C0000-00007FFE1D8F0000 IMM32.DLL (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE03460000-00007FFE04A6F000 mscorlib.ni.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFE1EDA0000-00007FFE1EECB000 ole32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1E000000-00007FFE1E354000 combase.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C990000-00007FFE1CA12000 bcryptPrimitives.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1BEC0000-00007FFE1BED8000 CRYPTSP.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1B600000-00007FFE1B634000 rsaenh.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1D0A0000-00007FFE1D0C7000 bcrypt.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1BEE0000-00007FFE1BEEC000 CRYPTBASE.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE03140000-00007FFE0326F000 clrjit.dll (Microsoft Corporation), version: 4.8.9181.0 built by: NET481REL1LAST_C 00007FFE1BF70000-00007FFE1BF9D000 wldp.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE14490000-00007FFE144AF000 amsi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C640000-00007FFE1C66E000 USERENV.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C680000-00007FFE1C6A5000 profapi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE143E0000-00007FFE1448E000 symamsi.dll (Broadcom), version: 15.7.12.41 00007FFE1C870000-00007FFE1C8D7000 WINTRUST.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1CF40000-00007FFE1D09D000 CRYPT32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1D170000-00007FFE1D8B4000 SHELL32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1E900000-00007FFE1E9CD000 OLEAUT32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1C100000-00007FFE1C112000 MSASN1.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1F010000-00007FFE1F02D000 imagehlp.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1AE90000-00007FFE1AEB3000 gpapi.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE02520000-00007FFE0313C000 System.ni.dll (Microsoft Corporation), version: 4.8.9206.0 built by: NET481REL1LAST_B 00007FFE02150000-00007FFE02196000 System.ServiceProcess.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFDFAA50000-00007FFDFAA7D000 System.Configuration.Install.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFE11560000-00007FFE11591000 cryptnet.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1B9C0000-00007FFE1B9FB000 IPHLPAPI.DLL (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE16AE0000-00007FFE16AEB000 WINNSI.DLL (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1EA90000-00007FFE1EA98000 NSI.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFDFA8E0000-00007FFDFAA46000 System.Management.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFDFA800000-00007FFDFA82F000 wminet_utils.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFE1DB10000-00007FFE1DBB9000 clbcatq.dll (Microsoft Corporation), version: 2001.12.10941.16384 (WinBuild.160101.080 00007FFE14530000-00007FFE14558000 wmiutils.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE14E50000-00007FFE14EE0000 wbemcomn.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE14F10000-00007FFE14F21000 wbemprox.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1E360000-00007FFE1E3CB000 WS2_32.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE14560000-00007FFE14574000 wbemsvc.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE14600000-00007FFE1470B000 fastprox.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE1A6E0000-00007FFE1AE7B000 windows.storage.dll (Microsoft Corporation), version: 10.0.19041.3693 (WinBuild.160101.0800) 00007FFE1E840000-00007FFE1E8ED000 SHCORE.dll (Microsoft Corporation), version: 10.0.19041.3636 (WinBuild.160101.0800) 00007FFE016C0000-00007FFE02146000 System.Core.ni.dll (Microsoft Corporation), version: 4.8.9200.0 built by: NET481REL1LAST_C 00007FFDFFE50000-00007FFE016BC000 System.ServiceModel.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFDFFB80000-00007FFDFFCB3000 System.Configuration.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 00007FFDFF270000-00007FFDFFB20000 System.Xml.ni.dll (Microsoft Corporation), version: 4.8.9037.0 built by: NET481REL1 Process Trace 1 C:\Windows\SysWOW64\XtuService.exe [6912] 2 C:\Windows\System32\services.exe [752] 3 C:\Windows\System32\wininit.exe [1000] wininit.exe 4 C:\Windows\System32\smss.exe [572] \SystemRoot\System32\smss.exe 000000a8 00000084 5 C:\Windows\System32\smss.exe [432] \SystemRoot\System32\smss.exe 6 [4] Services 6912 XTU3SERVICE Dropped Files 1 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\CmnClnt\ccSetMgr\506848A311EE71F5E33007B7A176387A.DAT.log Dropped by [4] 2 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\Product\Backup.dat.log Dropped by [4] 3 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NGC_22.23.5.106\SRTSP\SrtspSet.dat.log Dropped by [4] Thumbprints 4c28fef8ba7bdf053228228d788b6b56d3810d7c444179937a330ca07200a7ad (code) 11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 (hhp-ownermodule) 47eda548bb173b4a61d8e830851e0805266d272daa77eb53f4a572d0e776c528 (hhp-fhsh-ownmod)
I have checked it out, but I do have a few questions. About Cookie Guard, can you tell me how it protects against infostealers? I mean does it simply protect the browser profile folder (with cookies and passwords) or does it also protect browser memory? And I had to disable the Local Privilege Mitigation and Unexpected system calls protections in order to make Sandboxie work. With that I mean, everytime I run a sandboxed process, HMPA will alert me about it. Is there any type of way to fix this problem?
Hi @Krusty @deugniet Does this reproduce over every reboot? Can you produce this after reboot by stopping and starting the xtu3service ? And are you both running Norton?
@RonnyT Running Norton 360 v22.23.10.10 (Win10 22H2 build 19045.3693). Cannot reproduce on every reboot. As a matter of fact I unsuppressed the first mitigation a while ago and had no further alerts. After your post of today I suppressed the HeapHeapProtect again. Restarted the machine and unsuppressed and then restarted the machine again: a mitigation HeapHeapProtect. Have yet to check the stopping and starting of the xtu3service.
hello, emsisoft emergency kit flags Hitmanpro alert as 29.11.2023 01:23:29 Scanner-Fund: Malware "Gen:Variant.Jaik.199660 (B)" in "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" (SHA1: 4ce9be59f7ec5a5be982bd31cbe2c48a0e635f19) i guess that this is false positive but want to share it. cheers
Doesn't reproduce on this end, also no hit on Virustotal of their engine. The SHA1 is our legit version so deffo an FP on their end. @scip If you run a new scan now does it still report it?
@Krusty @deugniet can you reproduce this in any way? I can't on this end. I'd like to know if it's every boot? And what happens if you stop the XTU3service after boot and restart the service, does it alert then also?
Disabling XTU3service (via Services) and re-enabling it again triggers a mitigation. Tried it twice and twice a mitigation. Not on every (re)boot a mitigation.
Weird, did you tweak any settings? and was this installed deliberately or part of an OEM package install?
Tweak XTU3service? Not that I know of. Cant tell you if its installed deliberately or part of an OEM package install.
It's part of Intel Extreme tuning utility https://www.intel.com/content/www/us/en/download/17881/intel-extreme-tuning-utility-intel-xtu.html So perhaps you have "tweaked" your machine with it, or was it installed by the hardware vendor of your machine (OEM) e.g. HP/ASUS etc
Hi @RonnyT , My machine is an HP as well. I have never installed Intel Extreme tuning utility / XtuService.exe, so it either came with some third-party software, or from HP itself at some point. @deugniet , have you ever had Norton Utilities Premium or Ultimate installed? I have uninstalled it from my machines. I wonder if it may of been left behind, but then it should not be running. Maybe Norton 360 installs it? Something worth noting, I and I think @deugniet have made exclusions in Norton for HMP.A because of an issue I found some time ago. When ever Norton received an update to SONAR my CPU would run high until I restarted my machine/s. With the exclusion in place that never happened. So, both running Norton on HP machines, and probably both with exclusions for HMP.A.
@Krusty SONAR feature's name has been changed to Behavioral Protection. Source: https://community.norton.com/en/blo...norton-security-2222712-windows-now-available
OK. I haven't tested without the exclusion lately so I don't know if it is still required or not. I don't even know if that is relevant to this issue anyway. Cheers.
I have this infrequently (4 times after boot) and i am on a new HP as well. I have not tweaked anything yet & do not have Norton installed. So 4 times, but it does not happen on every boot