July 4, 2021

HitmanPro detecting code injection in Chrome

Hi, I’m not sure if this is the right place to ask, but I might have a problem and don’t know what to do. I run Sandboxie because I had to download PDF’s that I didn’t really trust, so I uploaded them to VirusTotal and Hybrid Analysis from there. The PDF’s were all clean, but later I checked Event Viewer that had the following logs in HitmanPro Events:

“Mitigation PrivGuard
Timestamp 2021-06-28T12:39:54

Platform 10.0.19043/x64 v504 8f_60
PID 8396
Application C:Windowsexplorer.exe
Created 2021-06-11T07:44:24
Modified 2021-06-11T07:44:24
Description Windows Explorer 10

Sweep

Code Injection
00000000005F0000-00000000005F6000 24KB C:Program FilesSandboxie-PlusSbieSvc.exe [3184]
00000000008C0000-00000000008C2000 8KB
00007FFBE8384000-00007FFBE8385000 4KB
1 C:Program FilesSandboxie-PlusSbieSvc.exe [3184]
2 C:WindowsSystem32services.exe [1060]
3 C:WindowsSystem32wininit.exe [556]
wininit.exe

Process Trace
1 C:Windowsexplorer.exe [8396]
“C:Windowsexplorer.exe” /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
2 C:Program FilesSandboxie-PlusStart.exe [17044]
“C:Program FilesSandboxie-PlusStart.exe” /env:00000000_SBIE_CURRENT_DIRECTORY=”C:Program FilesSandboxie-Plus” /env:=Refresh explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
3 C:Program FilesSandboxie-PlusSbieSvc.exe [3184]
4 C:WindowsSystem32services.exe [1060]
5 C:WindowsSystem32wininit.exe [556]
wininit.exe

Thumbprint
4589672c3cf1144aa588f4148da6a1ae685a4aacb7df40dd94a67aff789ff2a0

<<< NEXT EVENT >>>

Mitigation PrivGuard
Timestamp 2021-06-28T15:04:13

Platform 10.0.19043/x64 v504 8f_60
PID 4648
Application C:Program FilesGoogleChromeApplicationchrome.exe
Created 2021-06-11T09:00:02
Modified 2021-06-17T01:34:32
Description Google Chrome 91

Sweep

Code Injection
0000000000270000-0000000000276000 24KB C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
0000000000280000-0000000000282000 8KB
00007FFFE15E4000-00007FFFE15E5000 4KB
1 C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
2 C:WindowsSystem32services.exe [1124]
3 C:WindowsSystem32wininit.exe [1044]
wininit.exe

Process Trace
1 C:Program FilesGoogleChromeApplicationchrome.exe [4648]
“C:Program FilesGoogleChromeApplicationchrome.exe” –type=utility –utility-sub-type=patch.mojom.FilePatcher –field-trial-handle=1836,14086890906158473310,1521814166668875509,131072 –lang=en-GB –service-sandbox-type=utility –mojo-platform-channel-
2 C:Program FilesGoogleChromeApplicationchrome.exe [15292]
3 C:Program FilesSandboxie-PlusStart.exe [6836]
“C:Program FilesSandboxie-PlusStart.exe” /env:00000000_SBIE_CURRENT_DIRECTORY=”C:Program FilesSandboxie-Plus” /env:=Refresh run_dialog
4 C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
5 C:WindowsSystem32services.exe [1124]
6 C:WindowsSystem32wininit.exe [1044]
wininit.exe

Thumbprint
ea3206e9b7f3ccf8a1e7f898b5ba3ce933b190c111f3a49128e943e339d7756a

<<< NEXT EVENT >>>

Mitigation PrivGuard
Timestamp 2021-06-28T15:06:29

Platform 10.0.19043/x64 v504 8f_60
PID 10676
Application C:Program FilesGoogleChromeApplicationchrome.exe
Created 2021-06-11T09:00:02
Modified 2021-06-17T01:34:32
Description Google Chrome 91

Sweep

Code Injection
0000000000CA0000-0000000000CA6000 24KB C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
0000000000CB0000-0000000000CB2000 8KB
00007FFFE15E4000-00007FFFE15E5000 4KB
1 C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
2 C:WindowsSystem32services.exe [1124]
3 C:WindowsSystem32wininit.exe [1044]
wininit.exe

Thumbprint
ea3206e9b7f3ccf8a1e7f898b5ba3ce933b190c111f3a49128e943e339d7756a

<<< NEXT EVENT >>>

Mitigation PrivGuard
Timestamp 2021-06-28T19:23:19

Platform 10.0.19043/x64 v504 8f_60
PID 17656
Application C:Program FilesGoogleChromeApplicationchrome.exe
Created 2021-06-11T09:00:02
Modified 2021-06-17T01:34:32
Description Google Chrome 91

Sweep

Code Injection
00000000009E0000-00000000009E6000 24KB C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
00000000009F0000-00000000009F2000 8KB
00007FFFE15E4000-00007FFFE15E5000 4KB
1 C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
2 C:WindowsSystem32services.exe [1124]
3 C:WindowsSystem32wininit.exe [1044]
wininit.exe

Process Trace
1 C:Program FilesGoogleChromeApplicationchrome.exe [17656]
“C:Program FilesGoogleChromeApplicationchrome.exe” –type=utility –utility-sub-type=unzip.mojom.Unzipper –field-trial-handle=1776,14874191627072077257,6051874787474641367,131072 –lang=en-GB –service-sandbox-type=utility –mojo-platform-channel-han
2 C:Program FilesGoogleChromeApplicationchrome.exe [16724]
3 C:Program FilesSandboxie-PlusStart.exe [10528]
“C:Program FilesSandboxie-PlusStart.exe” /env:00000000_SBIE_CURRENT_DIRECTORY=”C:Program FilesSandboxie-Plus” /env:=Refresh run_dialog
4 C:Program FilesSandboxie-PlusSbieSvc.exe [3376]
5 C:WindowsSystem32services.exe [1124]
6 C:WindowsSystem32wininit.exe [1044]
wininit.exe

Thumbprint
ea3206e9b7f3ccf8a1e7f898b5ba3ce933b190c111f3a49128e943e339d7756a“

So what exactly happened here? Are Sandboxie and HitmanPro in conflict or did something escape the sandbox?

All other virus scans come up clean. I apologise for the formatting in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.