Exploit.Payload File Block, C:\Windows\sysnative\cmd.exe, is this safe?

[xLuckyL]

Hello, 

This is my first time creating a ticket so im sorry if I do something incorrectly. Here is the problem.

I started my PC up a couple minutes ago and I instantly got a couple warnings from my Malwarebytes Premium 4.6.1. called: Exploit.PayloadProcessBlock

I have no idea what this is and I have no idea if it is safe or if it is a false message. I got this message 4 times in a row. Here is the TXT file:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/12/23
Protection Event Time: 1:47 AM
Log File: 88cd4300-50fd-11ee-a1c9-d45d645172ee.json

-Software Information-
Version: 4.6.1.280
Components Version: 1.0.2117
Update Package Version: 1.0.75165
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3324)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Windows\sysnative\cmd.exe C:\Windows\sysnative\cmd.exe \c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\sysnative\cmd.exe C:\Windows\sysnative\cmd.exe \c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid
URL: 

(end)

 

Can someone help me and look if it is safe?

Thank you very much and I am looking forwards to your reply.

 

Greetings,

 

Luke

[Porthos]

@xLuckyL

Please do the following so that we may take a closer look at your system.

Please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
   

Thank you

[xLuckyL]

Alright, let me do that. I will react when I have done this

[xLuckyL]

@Porthosmbst-grab-results.zip

[Porthos]

@xLuckyL

To start, Please turn off the following setting in Malwarebytes. Also, check for updates in the general tab.

 

Next

Turn off fast startup in Windows. Then restart the computer.

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

[xLuckyL]

Alright. I did what you asked. I turned off the setting in my Malwarebytes and turn off fast startup in Windows followed by a pc restart. What now?

[Porthos]

2 minutes ago, xLuckyL said:

What now?

Now we see  if it happens again. I will also have @Arthi Look at your logs.

[xLuckyL]

Alright cool. Yea I was shocked and confused. I started my PC and this was the first thing I saw. So I just wanted to make sure that it is not anything bad you know. Thank you for your help <3

 

Have a fantastic day!

[Porthos]

You missed updating Malwarebytes.

[Arthi]

Hi,

We are working on fixing a similar issue which comes and goes and is not easily reproducible. I have reached out to the OP via DM. Will hopefully have a test build with the fix very soon. Thanks.

[xLuckyL]

3 minutes ago, Porthos said:

You missed updating Malwarebytes.

Ah my bad, I updated it to 4.6.2.

[ZenYinZero]

I had the same issue. Tried the fix and it works now. Just read the above posts and checked my version number... Yep, missed an update (mine is set to auto-update). Thanks for the help and info :) 

[Arthi]

Hi,

Thank to everyone who reported this issue and worked with us in providing logs, etc. We have now fixed this issue and it is going through internal testing. If everything goes well, we should be releasing the fix in the next 2 weeks or so. Please bear with us. Thank you.

[Porthos]

The beta that was released today has the anti-exploit fix included.

You may get the beta by enabling BETA updates and checking for updates.

This is the version with the fix.

 

[xLuckyL]

I just got another one of those detections randomly.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/29/23
Protection Event Time: 4:58 PM
Log File: ac41ff04-5ed8-11ee-8011-d45d645172ee.json

-Software Information-
Version: 4.6.2.281
Components Version: 1.0.2131
Update Package Version: 1.0.75789
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Windows\system32\cmd.exe cmd \c query session, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\system32\cmd.exe cmd \c query session
URL: 

(end)

 

Is this dangerous?

[xLuckyL]

And I will turn on what @Porthos said