Hello -
We are new Sophos Cloud users and today after installing on a specific computer, we got a message come through about "Safe Browsing detected browser Internet Explorer has been compromised". I did some searching around and found someone asking for EventID 911 in the Application log of the end user computer. I did find an entry right at the time that we got the message and it is a HitmanPro.Alert. The problem is that I do not know enough to read the log to know what triggered it or to determine if this is a false-positive or not. Can anyone shed any light on the subject, please?
Thanks -
Tom
Intruder
PID 8604
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11
Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
CreateActCtxW
1 0x000000007702A170 kernel32.dll JMP 0x37010180
2 0x0000000037010180 wininet.dll
CreateFileW
1 0x0000000077020D10 kernel32.dll JMP 0x37010148
2 0x0000000037010148 wininet.dll
CreateProcessInternalW
1 0x000000007702DD20 kernel32.dll JMP 0x6fff00d8
2 0x000000006FFF00D8 ATL100.DLL
GetQueuedCompletionStatus
1 0x0000000077019980 kernel32.dll JMP 0x6fff0228
2 0x000000006FFF0228 ATL100.DLL
ReplaceFile
1 0x00000000770A43E0 kernel32.dll JMP 0x370101f0
2 0x00000000370101F0 wininet.dll
CreateWindowExW
1 0x00000000771407BC USER32.dll JMP 0x370101b8
2 0x00000000370101B8 wininet.dll
GetMessageA
1 0x0000000077146100 USER32.dll JMP 0x38d40d55
2 0x0000000038D40D55 wininet.dll
GetMessageW
1 0x0000000077149E74 USER32.dll JMP 0x38d40d14
2 0x0000000038D40D14 wininet.dll
PeekMessageA
1 0x00000000771439C0 USER32.dll JMP 0x38d40cd8
2 0x0000000038D40CD8 wininet.dll
PeekMessageW
1 0x0000000077148FF4 USER32.dll JMP 0x38d40c98
2 0x0000000038D40C98 wininet.dll
KiUserExceptionDispatcher
1 0x000000007727BC8A ntdll.dll JMP 0x38d40d96
2 0x0000000038D40D96 wininet.dll
LdrLoadDll
1 0x0000000077256130 ntdll.dll JMP 0x38d40e18
2 0x0000000038D40E18 wininet.dll
NtAllocateVirtualMemory
1 0x000000007727BEB0 ntdll.dll JMP 0x38d40f56
2 0x0000000038D40F56 wininet.dll
NtClose
1 0x000000007727BE20 ntdll.dll JMP 0x6fff0180
2 0x000000006FFF0180 ATL100.DLL
NtCreateFile
1 0x000000007727C280 ntdll.dll JMP 0x6fff0110
2 0x000000006FFF0110 ATL100.DLL
NtFreeVirtualMemory
1 0x000000007727BF10 ntdll.dll JMP 0x38d40f16
2 0x0000000038D40F16 wininet.dll
NtMapViewOfSection
1 0x000000007727BFB0 ntdll.dll JMP 0x38d40e96
2 0x0000000038D40E96 wininet.dll
NtOpenFile
1 0x000000007727C060 ntdll.dll JMP 0x6fff0148
2 0x000000006FFF0148 ATL100.DLL
NtProtectVirtualMemory
1 0x000000007727C230 ntdll.dll JMP 0x38d40ed6
2 0x0000000038D40ED6 wininet.dll
NtSetInformationFile
1 0x000000007727BFA0 ntdll.dll JMP 0x6fff01b8
2 0x000000006FFF01B8 ATL100.DLL
NtUnmapViewOfSection
1 0x000000007727BFD0 ntdll.dll JMP 0x38d40e56
2 0x0000000038D40E56 wininet.dll
NtWaitForDebugEvent
1 0x000000007727D610 ntdll.dll JMP 0x38d40fd6
2 0x0000000038D40FD6 wininet.dll
RtlInstallFunctionTableCallback
1 0x00000000772322B0 ntdll.dll JMP 0x38d40f95
2 0x0000000038D40F95 wininet.dll
recv
1 0x000007FEF2E91744 WSOCK32.dll JMP 0x7fefe5b0308
2 0x000007FEFE5B0308 (anonymous; svrltmgr.dll)
recvfrom
1 0x000007FEF2E917AC WSOCK32.dll JMP 0x7fefe5b03e8
2 0x000007FEFE5B03E8 (anonymous; svrltmgr.dll)
GetFileVersionInfoSizeW
1 0x000007FEFC3615FC version.DLL JMP 0x7febc3500d8
2 0x000007FEBC3500D8 (anonymous; USER32.dll)
GetFileVersionInfoW
1 0x000007FEFC361614 version.DLL JMP 0x7febc350110
2 0x000007FEBC350110 (anonymous; USER32.dll)
DecryptMessage
1 0x000007FEFCD751F4 SspiCli.dll JMP 0x7fefe5b01f0
2 0x000007FEFE5B01F0 (anonymous; svrltmgr.dll)
EncryptMessage
1 0x000007FEFCD750A0 SspiCli.dll JMP 0x7fefe5b0228
2 0x000007FEFE5B0228 (anonymous; svrltmgr.dll)
closesocket
1 0x000007FEFD3518E0 WS2_32.dll JMP 0x7fefe5b0260
2 0x000007FEFE5B0260 (anonymous; svrltmgr.dll)
connect
1 0x000007FEFD3542F0 WS2_32.dll JMP 0x7fefe5b0378
2 0x000007FEFE5B0378 (anonymous; svrltmgr.dll)
getaddrinfo
1 0x000007FEFD352720 WS2_32.dll JMP 0x7fefe5b0458
2 0x000007FEFE5B0458 (anonymous; svrltmgr.dll)
gethostbyaddr
1 0x000007FEFD3788F0 WS2_32.dll JMP 0x7fefe5b02d0
2 0x000007FEFE5B02D0 (anonymous; svrltmgr.dll)
gethostbyname
1 0x000007FEFD358AC0 WS2_32.dll JMP 0x7fefe5b0298
2 0x000007FEFE5B0298 (anonymous; svrltmgr.dll)
listen
1 0x000007FEFD357F60 WS2_32.dll JMP 0x7fefe5b0420
2 0x000007FEFE5B0420 (anonymous; svrltmgr.dll)
recv
1 0x000007FEFD35D9C0 WS2_32.dll JMP 0x7fefe5b0500
2 0x000007FEFE5B0500 (anonymous; svrltmgr.dll)
send
1 0x000007FEFD357CD0 WS2_32.dll JMP 0x7fefe5b0340
2 0x000007FEFE5B0340 (anonymous; svrltmgr.dll)
sendto
1 0x000007FEFD35DB50 WS2_32.dll JMP 0x7fefe5b03b0
2 0x000007FEFE5B03B0 (anonymous; svrltmgr.dll)
WSAGetOverlappedResult
1 0x000007FEFD3779E0 WS2_32.dll JMP 0x7fefe5b0538
2 0x000007FEFE5B0538 (anonymous; svrltmgr.dll)
WSARecv
1 0x000007FEFD352200 WS2_32.dll JMP 0x7fefe5b05e0
2 0x000007FEFE5B05E0 (anonymous; svrltmgr.dll)
WSARecvFrom
1 0x000007FEFD37E650 WS2_32.dll JMP 0x7fefe5b0618
2 0x000007FEFE5B0618 (anonymous; svrltmgr.dll)
WSASend
1 0x000007FEFD3513B0 WS2_32.dll JMP 0x7fefe5b0570
2 0x000007FEFE5B0570 (anonymous; svrltmgr.dll)
WSASendTo
1 0x000007FEFD35E7F0 WS2_32.dll JMP 0x7fefe5b05a8
2 0x000007FEFE5B05A8 (anonymous; svrltmgr.dll)
WSAStringToAddressA
1 0x000007FEFD379360 WS2_32.dll JMP 0x7fefe5b0490
2 0x000007FEFE5B0490 (anonymous; svrltmgr.dll)
WSAStringToAddressW
1 0x000007FEFD35ACF0 WS2_32.dll JMP 0x7fefe5b04c8
2 0x000007FEFE5B04C8 (anonymous; svrltmgr.dll)
SHExtractIconsW
1 0x000007FEFD6E84C8 shell32.DLL JMP 0x7febc350148
2 0x000007FEBC350148 (anonymous; USER32.dll)
EndDoc
1 0x000007FEFE9A8478 GDI32.dll JMP 0x7fefe5b0148
2 0x000007FEFE5B0148 (anonymous; svrltmgr.dll)
StartDocA
1 0x000007FEFE9A8748 GDI32.dll JMP 0x7fefe5b00d8
2 0x000007FEFE5B00D8 (anonymous; svrltmgr.dll)
StartDocW
1 0x000007FEFE9A890C GDI32.dll JMP 0x7fefe5b0110
2 0x000007FEFE5B0110 (anonymous; svrltmgr.dll)
URLDownloadToFileW
1 0x000007FEFEA25930 urlmon.dll JMP 0x7fef6640f98
2 0x000007FEF6640F98 netprofm.dll
CoCreateInstance
1 0x000007FEFF2A6D10 ole32.dll JMP 0x7fefe5b0180
2 0x000007FEFE5B0180 (anonymous; svrltmgr.dll)
CoCreateInstanceEx
1 0x000007FEFF28D870 ole32.dll JMP 0x7fefe5b01b8
2 0x000007FEFE5B01B8 (anonymous; svrltmgr.dll)
StgOpenStorageEx
1 0x000007FEFF3C7940 ole32.dll JMP 0x7febc350180
2 0x000007FEBC350180 (anonymous; USER32.dll)
Thumbprint
c521d6df731e2b5a75e232b9a971773a982a9853fe3ff85b8515bbad99ca2156
This thread was automatically locked due to age.