HitmanPro.ALERT Support and Discussion Thread

Hi Page42,
As mentioned earlier, if you also provide the thumbprint, Erik can whitelist it.
Although there may be something going on that needs investigating, seen all the reported IAF alerts.
(You can copy alert details, including thumbprint, from Event Viewer.)

 

Please help! Various Office Programs in XP or Win7x64 come with "False Positives"

This is aSample-Eventlog: there are many more!!!

Thank you!!!

Typ: Fehler
Quelle: HitmanPro.Alert
Ereignis-ID: 911
Ereigniszeit: 09.03.2017 15:43:40
Benutzer: n/z
Computer: PCVH045.MVB.dom
Beschreibung:
Mitigation IAF
Platform 6.1.7601/x64 v586 06_3c
PID 5256
Application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Description Microsoft Word 14
Violation 6CB55753 is calling mscss7cm_GE.dub IAT funcptr kernel32.dll!GetProcAddress
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 6CB55753 MSMAPI32.DLL MAPISendMail +0x20
ff158c10b56c CALL DWORD [0x6cb5108c]
a39494b56c MOV [0x6cb59494], EAX
c7059894b56c01000000 MOV DWORD [0x6cb59498], 0x1
833d9494b56c00 CMP DWORD [0x6cb59494], 0x0
7410 JZ 0x6cb55781
e8cfbcffff CALL 0x6cb51445
85c0 TEST EAX, EAX
7407 JZ 0x6cb55781
5d POP EBP
ff259494b56c JMP DWORD [0x6cb59494]

2 624E97BB mapi32.dll MAPILogoff +0x10f
3 624E994E mapi32.dll MAPISendMail +0x93
4 649177B6 WWLIB.DLL
5 64926461 WWLIB.DLL
6 64926635 WWLIB.DLL
7 7615336A kernel32.dll BaseThreadInitThunk +0x12
8 775F9902 ntdll.dll RtlInitializeExceptionChain +0x63
9 775F98D5 ntdll.dll RtlInitializeExceptionChain +0x36
Process Trace
1 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5256]
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Bigalke\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZUVBV5R3\Triebwagen_Aktuell_0317.doc"
2 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [4484]
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /NoPreview
3 C:\Windows\explorer.exe [2920]
4 C:\Windows\System32\userinit.exe [3084]
5 C:\Windows\System32\winlogon.exe [720]
winlogon.exe
Thumbprint
09f3f5c9c22ced6f3184fc01f3ea73e30c4efd058785c0d5e5e68b34c0c5676f

 

How to add right click scan ??

 

Install HMP.

 

Install HMP over HMPA ?
I think HMPA included HMP. Am I right?

 

I have both installed on my machines.

 

I agree, incompatibilities particularly on common programs can be annoying but dealing with them, reporting them only serves to make HMPA better program not for the developer but for us the user.

 

HMPA includes the HMP scan option, but not the HMP context menu scan item.
To get the HMP context menu scan item, install the HMP application.
The HMP license is included in the HMPA license.

 

To be clear you have to download and install HitmanPro separately. Then you will have the option to scan in the right click menu.

 

Thank you, done and I have scan in the right click menu now. thanks again.

 

Can people here on wilders get a free license of hmpa.

 

Yes beta testers can receive one. PM erik.

 

I don't beta hmpa but erik gave me a commercial license the last 2 years anyway. I did pm erik for another year because i have about a week left of the license but he has not sent me a message yet after 3 weeks.

 

Maybe try again?, I had no problem getting my last one he was wonderful about it.

 

FYI, I did today send email to support with the thumbprints for the multiple IAF alerts for both Outlook.exe & MailwasherPro.exe.
I also sent thumbprint for when HMP scan flagged HMP.A's excalibur.db-shm as suspicious.

 

Great, thanks. I hope it helps Erik and Mark/ SurfRight/ Sophos in the investigation regarding the series of reported IAF alerts and more.

 

Thanks for the tip, SM. Here is the full text of the Event, including the thumbprint:

Code:

Mitigation   IAF

Platform     6.1.7601/x64 v586 06_3a
PID          3524
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

Violation    6B1778DB is calling Srtsp32.dll IAT funcptr kernel32.dll!GetModuleHandleW


Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  6B1778DB mshtmlmedia.dll        
            e87c3f0200               CALL         0x6b19b85c
            8bf0                     MOV          ESI, EAX
            85f6                     TEST         ESI, ESI
            7510                     JNZ          0x6b1778f6
            6824e60a6b               PUSH         DWORD 0x6b0ae624
            e86c3f0200               CALL         0x6b19b85c
            8bf0                     MOV          ESI, EAX
            85f6                     TEST         ESI, ESI
            7428                     JZ           0x6b17791e
            6840e60a6b               PUSH         DWORD 0x6b0ae640
            56                       PUSH         ESI
            e8673f0200               CALL         0x6b19b868
            a3203c1a6b               MOV          [0x6b1a3c20], EAX
            85c0                     TEST         EAX, EAX
            7414                     JZ           0x6b17791e
            6858e60a6b               PUSH         DWORD 0x6b0ae658

2  6B19B68C mshtmlmedia.dll        
3  6B0B49C8 mshtmlmedia.dll        
4  0E6FD3EE mshtml.dll            
5  6B0D6385 mshtmlmedia.dll        
6  6B0D2BF7 mshtmlmedia.dll        
7  6B0D2B60 mshtmlmedia.dll        
8  6B0D2424 mshtmlmedia.dll        
9  6B0D506E mshtmlmedia.dll        
10 6B0CBB9D mshtmlmedia.dll        

Thumbprint
b28517622bce6c50bc85fc9830dd540cd31e39f256f8e112bdcc6c9d4400f19e

 

What the hell, I expect better from a big and well known company like Checkpoint, on first sight it looks a like a senseless test.

 

Just adding mine here because they might help diagnose existing problems:

Spoiler: Mitigation IAF

Mitigation IAF

Platform 10.0.14393/x64 v586 06_3d
PID 13040
Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Description Microsoft Word 16

Violation 73F25836 is calling msconv97.dll IAT funcptr kernel32.dll!GetProcAddress


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 73F25836 WPFT632.CNV
ff1550b0f273 CALL DWORD [0x73f2b050]
8bf0 MOV ESI, EAX
85f6 TEST ESI, ESI
754e JNZ 0x73f25890
ff155cb0f273 CALL DWORD [0x73f2b05c]
8b35746ff373 MOV ESI, [0x73f36f74]
8945f0 MOV [EBP-0x10], EAX
85f6 TEST ESI, ESI
7416 JZ 0x73f2586b
8d45d0 LEA EAX, [EBP-0x30]
8bce MOV ECX, ESI
50 PUSH EAX
6a04 PUSH 0x4
ff150cb1f273 CALL DWORD [0x73f2b10c]
ffd6 CALL ESI
8bf0 MOV ESI, EAX

2 73F2458B WPFT632.CNV
3 73F014C0 WPFT632.CNV GetReadNames +0x1a
4 5C9A0355 WWLIB.DLL
5 5CC81AED WWLIB.DLL
6 5CC81F9C WWLIB.DLL
7 5CC820A7 WWLIB.DLL
8 5C99FDCB WWLIB.DLL
9 5C45F2C8 WWLIB.DLL
10 5C93A87E WWLIB.DLL

Process Trace
1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [13040]
"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "E:\Important Files\mother tongue outline.docx" /o ""
2 C:\Windows\explorer.exe [4728]
C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
3 C:\Windows\System32\svchost.exe [656]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch

Thumbprint
3095c205fde52bd30a7920ba1c79a88296d965acc3a5926a39d64c6de89b5551

Spoiler: Mitigation ROP

Mitigation ROP

Platform 10.0.14393/x64 v586 06_3d
PID 18368
Application C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe
Description PotPlayer 0.0

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FF83F75CD7F KernelBase.dll LoadLibraryExW +0x16f
2 00007FF83F78606A KernelBase.dll UnhandledExceptionFilter +0x21a
3 00007FF842E4ED1B ntdll.dll
4 00007FF842E36BD6 ntdll.dll __C_specific_handler +0x96
5 00007FF842E4AB9D ntdll.dll __chkstk +0x11d
6 00007FF842DE9913 ntdll.dll
7 00007FF842E49CBA ntdll.dll KiUserExceptionDispatcher +0x3a

8 00007FF823971C9A igd10iumd64.dll
488b4178 MOV RAX, [RCX+0x78]
3b11 CMP EDX, [RCX]
7505 JNZ 0x7ff823971ca7
488b4110 MOV RAX, [RCX+0x10]
c3 RET

9 00007FFFFE5BBC35 igd11dxva64.dll
10 00007FFFFE589B0E igd11dxva64.dll

Process Trace
1 C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe [18368]
"C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe" "E:\IDM\Video\TW5-16.mp4"
2 C:\Program Files\DAUM\PotPlayer\DTDrop64.exe [10712]
"C:\Program Files\DAUM\PotPlayer\DTDrop64.exe" -Embedding
3 C:\Windows\System32\svchost.exe [656]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch

Thumbprint
54f56f4de02c0dc81e6474b942a3772e51fba2bec4b2f83cb5292ced061b7c79

These happened a few weeks ago. What I further noticed was that these were just one-time events. Launching PotPlayer and MS Office Word again didn't generate another HMP.A' alert. So far now, I haven't got another alert similar to these.

 

I am interested to know if HMPA can intercept Dridex v4( the anti-exploit part)?

https://www.wilderssecurity.com/threads/dridex-trojan-gets-a-major-atombombing-update.392391/
https://threatpost.com/dridex-trojan-gets-a-major-atombombing-update/123972/

 

Interesting question about the atombombing technique.

According to the Threatpost article: “AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”

I see that HMPA has a Code Mitigation for Control-Flow Integrity (stops ROP attacks). But maybe we should wait for a confirmation from the devs ...

 

@erikloman
Just got a update from Foxit Reader to 8.2.1 and the end of the update I got the Lockdown mitigation below.
Seems like the update did go well.

Code:

Mitigation   Lockdown

Platform     10.0.14393/x64 v586 06_5e
PID          17192
Application  C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\unins000.exe
Description  Setup/Uninstall

Filename     C:\Users\Richard\AppData\Local\Temp\_iu14D2N.tmp
Created By   C:\Program Files (x86)\FOXIT SOFTWARE\FOXIT READER\unins000.exe

Command line:
"C:\Users\Richard\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\unins000.exe" /FIRSTPHASEWND=$20032E /verysilent /norestart

Process Trace
1  C:\Program Files (x86)\FOXIT SOFTWARE\FOXIT READER\unins000.exe [17192]
"C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\unins000.exe" /verysilent /norestart
2  C:\Users\Richard\AppData\Local\Temp\is-1MC0D.tmp\Foxit Reader Setup.tmp [9720]
"C:\Users\Richard\AppData\Local\Temp\is-1MC0D.tmp\Foxit Reader Setup.tmp" /SL5="$150574,53919852,421376,C:\Users\Richard\AppData\Local\Temp\foxB59F.tmp\Foxit Reader Setup.exe" /Appid="Foxit Reader" /Dir="C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\"
3  C:\Users\Richard\AppData\Local\Temp\foxB59F.tmp\Foxit Reader Setup.exe [16880]
"C:\Users\Richard\AppData\Local\Temp\foxB59F.tmp\Foxit Reader Setup.exe"  /Appid="Foxit Reader" /Dir="C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\" /Lang=en /verysilent TYPE=updater
4  C:\Users\Richard\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe [13308]
"C:\Users\Richard\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe"  -updater -type "Auto Updater" -hwnd 394556 -readerpath "C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\" -regpath "HKEY_CURRENT_USER\Software\Foxit Software\Fo
5  C:\Program Files (x86)\FOXIT SOFTWARE\FOXIT READER\FoxitReader.exe [17776]
"C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FOXITREADER.EXE" "C:\Users\Richard\Desktop\NKON _ Printen bestelling # 200006956.pdf"
6  C:\Windows\explorer.exe [12784]
7  C:\Windows\System32\userinit.exe [15728]
8  C:\Windows\System32\winlogon.exe [12872]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
9  C:\Windows\System32\smss.exe [5400]
\SystemRoot\System32\smss.exe 0000011c 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession
10 C:\Windows\System32\smss.exe [424]
\SystemRoot\System32\smss.exe
11  [4]

Thumbprint
994106a36ad60d103eba85d951cdab93d2860980451037b9e7057402042d92ab

 

You'll see "Mitigation Lockdown" for protected applications, which want to execute dropped executables. The next time Foxit Reader is updating, you'll get another alert.

This can also be seen for here: #12864
The protected browser Opera downloads an installer, executed it and some time later the user gets a "Mitigation Lockdown"

 

stack pivot is triggered in MBAE

so i assume (at least) that the same applies to Alert...

C'on, *Loman, a quick reply is well-accepted