This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New InterceptX Users - need some guidance

Hello - 

 

We are new Sophos Cloud users and today after installing on a specific computer, we got a message come through about "Safe Browsing detected browser Internet Explorer has been compromised".  I did some searching around and found someone asking for EventID 911 in the Application log of the end user computer.  I did find an entry right at the time that we got the message and it is a HitmanPro.Alert.  The problem is that I do not know enough to read the log to know what triggered it or to determine if this is a false-positive or not.  Can anyone shed any light on the subject, please?

Thanks -

Tom

 

Intruder

PID 8604
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
CreateActCtxW
1 0x000000007702A170 kernel32.dll JMP 0x37010180
2 0x0000000037010180 wininet.dll

CreateFileW
1 0x0000000077020D10 kernel32.dll JMP 0x37010148
2 0x0000000037010148 wininet.dll

CreateProcessInternalW
1 0x000000007702DD20 kernel32.dll JMP 0x6fff00d8
2 0x000000006FFF00D8 ATL100.DLL

GetQueuedCompletionStatus
1 0x0000000077019980 kernel32.dll JMP 0x6fff0228
2 0x000000006FFF0228 ATL100.DLL

ReplaceFile
1 0x00000000770A43E0 kernel32.dll JMP 0x370101f0
2 0x00000000370101F0 wininet.dll

CreateWindowExW
1 0x00000000771407BC USER32.dll JMP 0x370101b8
2 0x00000000370101B8 wininet.dll

GetMessageA
1 0x0000000077146100 USER32.dll JMP 0x38d40d55
2 0x0000000038D40D55 wininet.dll

GetMessageW
1 0x0000000077149E74 USER32.dll JMP 0x38d40d14
2 0x0000000038D40D14 wininet.dll

PeekMessageA
1 0x00000000771439C0 USER32.dll JMP 0x38d40cd8
2 0x0000000038D40CD8 wininet.dll

PeekMessageW
1 0x0000000077148FF4 USER32.dll JMP 0x38d40c98
2 0x0000000038D40C98 wininet.dll

KiUserExceptionDispatcher
1 0x000000007727BC8A ntdll.dll JMP 0x38d40d96
2 0x0000000038D40D96 wininet.dll

LdrLoadDll
1 0x0000000077256130 ntdll.dll JMP 0x38d40e18
2 0x0000000038D40E18 wininet.dll

NtAllocateVirtualMemory
1 0x000000007727BEB0 ntdll.dll JMP 0x38d40f56
2 0x0000000038D40F56 wininet.dll

NtClose
1 0x000000007727BE20 ntdll.dll JMP 0x6fff0180
2 0x000000006FFF0180 ATL100.DLL

NtCreateFile
1 0x000000007727C280 ntdll.dll JMP 0x6fff0110
2 0x000000006FFF0110 ATL100.DLL

NtFreeVirtualMemory
1 0x000000007727BF10 ntdll.dll JMP 0x38d40f16
2 0x0000000038D40F16 wininet.dll

NtMapViewOfSection
1 0x000000007727BFB0 ntdll.dll JMP 0x38d40e96
2 0x0000000038D40E96 wininet.dll

NtOpenFile
1 0x000000007727C060 ntdll.dll JMP 0x6fff0148
2 0x000000006FFF0148 ATL100.DLL

NtProtectVirtualMemory
1 0x000000007727C230 ntdll.dll JMP 0x38d40ed6
2 0x0000000038D40ED6 wininet.dll

NtSetInformationFile
1 0x000000007727BFA0 ntdll.dll JMP 0x6fff01b8
2 0x000000006FFF01B8 ATL100.DLL

NtUnmapViewOfSection
1 0x000000007727BFD0 ntdll.dll JMP 0x38d40e56
2 0x0000000038D40E56 wininet.dll

NtWaitForDebugEvent
1 0x000000007727D610 ntdll.dll JMP 0x38d40fd6
2 0x0000000038D40FD6 wininet.dll

RtlInstallFunctionTableCallback
1 0x00000000772322B0 ntdll.dll JMP 0x38d40f95
2 0x0000000038D40F95 wininet.dll

recv
1 0x000007FEF2E91744 WSOCK32.dll JMP 0x7fefe5b0308
2 0x000007FEFE5B0308 (anonymous; svrltmgr.dll)

recvfrom
1 0x000007FEF2E917AC WSOCK32.dll JMP 0x7fefe5b03e8
2 0x000007FEFE5B03E8 (anonymous; svrltmgr.dll)

GetFileVersionInfoSizeW
1 0x000007FEFC3615FC version.DLL JMP 0x7febc3500d8
2 0x000007FEBC3500D8 (anonymous; USER32.dll)

GetFileVersionInfoW
1 0x000007FEFC361614 version.DLL JMP 0x7febc350110
2 0x000007FEBC350110 (anonymous; USER32.dll)

DecryptMessage
1 0x000007FEFCD751F4 SspiCli.dll JMP 0x7fefe5b01f0
2 0x000007FEFE5B01F0 (anonymous; svrltmgr.dll)

EncryptMessage
1 0x000007FEFCD750A0 SspiCli.dll JMP 0x7fefe5b0228
2 0x000007FEFE5B0228 (anonymous; svrltmgr.dll)

closesocket
1 0x000007FEFD3518E0 WS2_32.dll JMP 0x7fefe5b0260
2 0x000007FEFE5B0260 (anonymous; svrltmgr.dll)

connect
1 0x000007FEFD3542F0 WS2_32.dll JMP 0x7fefe5b0378
2 0x000007FEFE5B0378 (anonymous; svrltmgr.dll)

getaddrinfo
1 0x000007FEFD352720 WS2_32.dll JMP 0x7fefe5b0458
2 0x000007FEFE5B0458 (anonymous; svrltmgr.dll)

gethostbyaddr
1 0x000007FEFD3788F0 WS2_32.dll JMP 0x7fefe5b02d0
2 0x000007FEFE5B02D0 (anonymous; svrltmgr.dll)

gethostbyname
1 0x000007FEFD358AC0 WS2_32.dll JMP 0x7fefe5b0298
2 0x000007FEFE5B0298 (anonymous; svrltmgr.dll)

listen
1 0x000007FEFD357F60 WS2_32.dll JMP 0x7fefe5b0420
2 0x000007FEFE5B0420 (anonymous; svrltmgr.dll)

recv
1 0x000007FEFD35D9C0 WS2_32.dll JMP 0x7fefe5b0500
2 0x000007FEFE5B0500 (anonymous; svrltmgr.dll)

send
1 0x000007FEFD357CD0 WS2_32.dll JMP 0x7fefe5b0340
2 0x000007FEFE5B0340 (anonymous; svrltmgr.dll)

sendto
1 0x000007FEFD35DB50 WS2_32.dll JMP 0x7fefe5b03b0
2 0x000007FEFE5B03B0 (anonymous; svrltmgr.dll)

WSAGetOverlappedResult
1 0x000007FEFD3779E0 WS2_32.dll JMP 0x7fefe5b0538
2 0x000007FEFE5B0538 (anonymous; svrltmgr.dll)

WSARecv
1 0x000007FEFD352200 WS2_32.dll JMP 0x7fefe5b05e0
2 0x000007FEFE5B05E0 (anonymous; svrltmgr.dll)

WSARecvFrom
1 0x000007FEFD37E650 WS2_32.dll JMP 0x7fefe5b0618
2 0x000007FEFE5B0618 (anonymous; svrltmgr.dll)

WSASend
1 0x000007FEFD3513B0 WS2_32.dll JMP 0x7fefe5b0570
2 0x000007FEFE5B0570 (anonymous; svrltmgr.dll)

WSASendTo
1 0x000007FEFD35E7F0 WS2_32.dll JMP 0x7fefe5b05a8
2 0x000007FEFE5B05A8 (anonymous; svrltmgr.dll)

WSAStringToAddressA
1 0x000007FEFD379360 WS2_32.dll JMP 0x7fefe5b0490
2 0x000007FEFE5B0490 (anonymous; svrltmgr.dll)

WSAStringToAddressW
1 0x000007FEFD35ACF0 WS2_32.dll JMP 0x7fefe5b04c8
2 0x000007FEFE5B04C8 (anonymous; svrltmgr.dll)

SHExtractIconsW
1 0x000007FEFD6E84C8 shell32.DLL JMP 0x7febc350148
2 0x000007FEBC350148 (anonymous; USER32.dll)

EndDoc
1 0x000007FEFE9A8478 GDI32.dll JMP 0x7fefe5b0148
2 0x000007FEFE5B0148 (anonymous; svrltmgr.dll)

StartDocA
1 0x000007FEFE9A8748 GDI32.dll JMP 0x7fefe5b00d8
2 0x000007FEFE5B00D8 (anonymous; svrltmgr.dll)

StartDocW
1 0x000007FEFE9A890C GDI32.dll JMP 0x7fefe5b0110
2 0x000007FEFE5B0110 (anonymous; svrltmgr.dll)

URLDownloadToFileW
1 0x000007FEFEA25930 urlmon.dll JMP 0x7fef6640f98
2 0x000007FEF6640F98 netprofm.dll

CoCreateInstance
1 0x000007FEFF2A6D10 ole32.dll JMP 0x7fefe5b0180
2 0x000007FEFE5B0180 (anonymous; svrltmgr.dll)

CoCreateInstanceEx
1 0x000007FEFF28D870 ole32.dll JMP 0x7fefe5b01b8
2 0x000007FEFE5B01B8 (anonymous; svrltmgr.dll)

StgOpenStorageEx
1 0x000007FEFF3C7940 ole32.dll JMP 0x7febc350180
2 0x000007FEBC350180 (anonymous; USER32.dll)


Thumbprint
c521d6df731e2b5a75e232b9a971773a982a9853fe3ff85b8515bbad99ca2156



This thread was automatically locked due to age.
Parents Reply Children
No Data