HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

Page 92 of 92
  1. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,295
    No problems upgrading HitmanPro.Alert 3.20.2 Build 2017 RC1.
     
    deugniet, Dec 22, 2024
    #2276
  2. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,295
    Mitigation CookieGuard.
     

    Attached Files:

    deugniet, Dec 28, 2024
    #2277
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    714
    Location:
    Planet Earth
    We leave that up to the user to suppress if you wish to allow Norton access to your (auth)cookies and passwords.
     
    RonnyT, Dec 28, 2024
    #2278
  4. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    410
    Location:
    Finland
    Ronny, please fix my favorite MP3 player Resonic. Resonic.at where you can download it. It's legit software. Reported it to Sophos many times, but with Sophos Home and its latest version of HMPA. Still blocks it "Attack Intercepted".
    KInda crazy, that this is still not fixed. Sure i can whitelist it...
     
    moredhelfinland, Dec 28, 2024
    #2279
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    714
    Location:
    Planet Earth
    what's the name of the offending exe? or can you post the alert details so I can have a look
     
    RonnyT, Dec 28, 2024
    #2280
  6. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    410
    Location:
    Finland
    @RonnyT
    reasonic.at, download free version, install it and run...because sophos home does not use the latest version of HMPA component, we Sophos Home users will get these ROP blocks...a alot.
     
    moredhelfinland, Dec 28, 2024
    #2281
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    714
    Location:
    Planet Earth
    If I had unlimited time that would be an option, I can find it way faster if you provide me with the executable name or a ROP alert details from the Eventlog, so if you don't mind could you share one or both?
     
    RonnyT, Dec 28, 2024
    #2282
  8. erakura

    erakura Registered Member

    Joined:
    Dec 29, 2024
    Posts:
    1
    Location:
    The Internet
    On a whim I decided to try it. HMPA does indeed mitigate. I'm using HMPA standalone with Bitdefender, with the current release 3.8.26 b983.
    I intended to attach the log as a txt file but I couldn't find the attach option anywhere, I hope it's ok.
    EDIT: I also just realized that this is the Beta thread! Apologies.
    Code:
    Mitigation   HeapHeapProtect
Timestamp    2024-12-30T03:27:29

Platform     10.0.26100/x64 v983 af_61
PID          11492
WoW          x86
Feature      00FD2E7000000026
Application  C:\Program Files (x86)\Liqube\Resonic Player Beta\Resonic.exe
Created      2024-12-30T03:27:24
Description  Resonic Player Beta 0.9.3

Callee Type  AllocateVirtualMemory

Shellcode (HHA) (0x00008000 bytes)
Owner of CALLER: (anonymous; allocated by 0159AD3F, Resonic.exe)

OwnerModule
Name         Resonic.exe
Path         C:\Program Files (x86)\Liqube\Resonic Player Beta\Resonic.exe
Thumbprint   ff675957bb64461b7c0a7be5be814979c4c9f5739cc8b552b0e88b628d6c7c1b
SHA-256      f40dac7393dc8fe568437feae8fabc5fdf7b8e5f145425301bcbfb64de9292b4
SHA-1        9dc4d0af7a748e8caff73610faaa67e310831a68
MD5          ff437e7c22766d3519ad88be7c5d23cc

01813AC3  ff93f8020000             CALL         DWORD [EBX+0x2f8]
01813AC9  eb03                     JMP          0x1813ace
01813ACB  eaf62585c07303           JMP FAR      0x373:0xc08525f6
01813AD2  a955410f84               TEST         EAX, 0x840f4155
01813AD7  c3                       RET       
01813AD8  0c00                     OR           AL, 0x0
01813ADA  00e9                     ADD          CL, CH
01813ADC  2f                       DAS       
01813ADD  0a00                     OR           AL, [EAX]
01813ADF  0090eb03f336             ADD          [EAX+0x36f303eb], DL
01813AE5  7ef7                     JLE          0x1813ade
01813AE7  46                       INC          ESI
01813AE8  0808                     OR           [EAX], CL
01813AEA  0000                     ADD          [EAX], AL
01813AEC  007301                   ADD          [EBX+0x1], DH
01813AEF  750f                     JNZ          0x1813b00

----- SNIP HERE -----
AAFaAQAwgQHDOoEBADCBAQAQAwCK2WXsB8U2hFXFbDT6f11KyguSUjv7mS3oDv4ITUTTLbkQhzpIDSVTPjgCledlIZyliZwf91UXuSsKMfRx20ECeR3ycdgv5sC64tnPfmSxcIVVcQ91wHuZQ8B3MRrNgc5hhTpoYINsJCAFi3wkIMYHgsdHAQJRnfS4mAwAAL4I1U6dKTdmwQdWgAf+ZoE3n0LrBp/PvI+cN/YXg8cEge5x83dmg+gED4XW////+XIDzx+eYcN/bZ32/TUnT8QBfAHrF5CQkI0EIAAQGQEXZgAACW4TiAMAAAAA6XkQAAADVfjrAi4MO8LrA/5EyA+DGhEAAOnsAQAAkOsDJbb3VesChqeL7OsC0zVX6wLoE1brASqDfRAF6wMInF0PgocBAADpyAkAAJDrAvd8i4MYAQAA6wHUi1YE6wG6A5N4AQAA6wHcxwACAAAA6wPowVuJUATrAiU5x0AIAAAAAOsCgSWDgxgBAAAM6wL2T1/rA/Yk3V7rA4FvdVvrA7oJs4vl6wLB+V3rAtihw+sDJSBri1Yg6wMip+ONPBPrAgBRjTyH6wEMiw/rAeGLVRTrAjXcA8vrA90VC2oA6wNkNrtR6wO4lNb/UmDrARM7RQzrATIPhQ8BAADpGQgAAJDrAhBPi4MYAQAA6wEDxwAFAAAA6wIydsdABBQAAADrAr2cx0AIAAAAAOsCIIqDgxgBAAAM6wO5VAZf6wHIXusCvMtb6wKg7Yvl6wGgXesD95Azw+sDKbTJDzHrA4q32DFF6HJkMVXocwO/nTzp8AIAAOsD3nQCi34E6wF0M8B5A4OwBgO7eAEAAOsBPY1Q/+sBcYlWBOsCgOfprBAAAOsB3GhEAwAA6wIiJVPrA7y++P9TYOsCyJQ7RcDrAoyBD4VA////6akHAADrArz4M8B5A6Or0OmTCAAA6wOhbGKJBusBZ+uR6wKNtGaLTfTrAYFmhcFzAzuL2A+FuwEAAOn1FgAAkOsD24GQM8B2A8hvpOkdDwAA6wGMD7dWCOsDLfTshdJzAjOxD4RmEQAA6fYVAACQ6wMtm9aLexTrAwVurwO+eAEAAOsBaYlF/OsBxWa6AQDrArkjZrggAOsCPh2KTRDrATpm08LrArmvZtPA6wIbnWaJVfjrAjmOZolF9OsCwqbpCxQAAOsDG5eUi0X46wH3i4B1b9gA6wODnAKFwHEDaYyHD4XXEQAA6Y4IAACQ6wEJi1YE6wM9N8sDk3gBAADrArqMUusBxP91/OsDBSRE/5NQAgAA6wK9UumoDAAA6wPdn9qq6wOFpP/B6AjrAQhJ6wMV++R17OmJAAAA6wHoi0UU6wILZGi2XeYZ6wISeGoA6wIVNf+Q+AIAAOsB2+lcEQAA6wKa6IP4AesC6lAPhDAKAADpLhEAAJDrAahe6wMF59hb6wF6X+sBcIvl6wIug13rAujAwgwA6wMTmzAzwHUeQOsBPV/rAoCqXusCyhlb6wE2i+XrA6Oc9F3rAaDCGADrAXyLx+sCoBorRQzrAoSK6dIGAADrAY6Lx+sCLgNb6wLC4F/rAmU2XesBCsIIAOsDFXOSg8YO6wEcg8cE6wPI0hT/TQjrAToPhZ4PAADpif///5DrAw2uZfdGCAEAAABzAz0dNw+ELxMAAOndEAAAkOsBo4vH6wF5K0UY6wEY6fsJAADrAx0GLFDrAhVM/zPrAcXopwoAAIXAcwONvLgPhLcIAADpjhEAAJDrAb+q6wO4897pDA4AAOsDCbguA1cI6wLclDvC6wO/I44Pg9AJAADpQf///5DrAt0ci9/rAbmNTejrAjKliwHrAYOL0OsCujfB4hXrARgzwnMCAiyL0OsDHZf/wcoD6wIF7TPCcQLAEovQ6wHzweIE6wK85DPCcj2JAesCAHYzRgxyh4lF5OsBIIlGDOsCEI6LRgTrAsVuiUXI6wJp6lDrAbX/s5gCAADrAYv/U2DrAZqJRczrAurfi1Xg6wGhi4OYAgAA6wNn6eoDgmhv2ADrAgVm/7Jsb9gA6wJnIFDrAQj/U2DrA7sLbolFxOsDay2KjVXc6wK8vItGBOsBCgODmAIAAOsD3ZNZUusDxKp6akDrA9Cydv92COsDxDw1UOsCBRJoL28GEOsD3rvyagDrAzE95/+T+AIAAOsBOYsO6wOBO3yNdhDrAvZ0M/95A8F3A4l91OsB2+lODQAA6wFqM8B9ATpb6wO9fbtf6wESXesCMkLCCADrA42pDg+2RwPrAiWJagHrAYtQ6wMyicdqAOsCu7P/dwTrAXn/M+sDjqsJ/5YgAQAA6wIRVoXAcjcPhPsGAADpfQMAAJDrAS1V6wLFlovs6wEZg+wI6wE2U+sDIJJpVusCxUtX6wKa6DPAf785RQzrAopzD4TkBwAA6YsEAACQ6wHei10Y6wO85CWLdRDrAXKLfQzrAcDoAAAAAFjrAoEhLbx12ADrAmcFiUX46wO7YGxmuggA6wO+pJqKTRzrAoEMZtPC6wO5CTxmiVX86wIPTumOEQAA6wMFJZqJQ1zrA7rqE4lF0OsBu2hEAwAA6wOgslRT6wEc/1Ng6wLIa4lFwOsBqWoA6wF1akzrAfNqAOsDDU4paI29wT/rAdj/szQDAADrAdD/kyABAADrAmUbiUX86wEbagDrAQ1qR+sD0K62agDrArrnaHBlhrHrAokN/7M0AwAA6wFz/5MgAQAA6wHmiUX46wKBP4uzeAEAAOsCgTqLDusDKQxFiU3w6wLZe8dF7AAAAADrAw3c5412EOsDoD4x6W8KAADrATwzwHL+agHrA77ywlDrA9q4S/92BOsBslDrAeH/dRjrA2c2dP+TIAEAAOsBAoXAcQO9jG8PhHMDAADpYQYAAJDrAmePi0UU6wGai5D4AAAA6wFliRfrAcTpxg8AAOsCgY+DRfgI6wK6w4k+6wMZRFGLTSDrA6kif4sB6wLzNIvQ6wPoOzfB4hXrASMzwnMCgOKL0OsBcMHKA+sB6zPCcQGEi9DrAf/B4gTrAmR4M8JzAsgoiQHrAtuJg+AHcQERBFDrAxVUlKrrAdH/dfjrARhX6wFj/3Ug6wHp6AD4//8pRfjrAYAD+OsC8mfGB2DrAXNH6wHq/3X46wO7SV1X6wLSBP91IOsBM+jS9///KUX46wMzjfkD+OsDJTkRxge46wLIKotF/OsCwrQzRSRzAXCJRwHrAiV9g8cF6wOBhov/dfjrARJX6wJn0P91IOsCgXroiff//ylF+OsCDcwD+OsChlbGB+nrAWWLRRTrASkrx+sDIYs4g+gF6wKj3IlHAesCFX2DxwXrAj7o/3X46wLKgFfrAip2/3Ug6wMFinjoO/f//ylF+OsDwLNiA/jrArlfg8YE6wEmZv9F/usBJv9NDOsCaIcPhZX+///p5Pr//+sBiSt+IOsDu0XjK/vrAwC/hMHvAusC2KCLRiTrAxXuwgPD6wIrbA+3BHjrAzWXhYvL6wO+18kDXhzrAYQ7RhTrAWQPh6v4///pCA0AAOsDo8ef6aH6///rAyWmBIuzeAEAAOsCvvczwH4C0XWJRgTrAXiJRgjrAw2K8otF1OsDG5zLweAD6wPBTGeL0OsB48HgAusBPQPQ6wHFakDrAqCoaAAwAADrAv+uUOsBY2oA6wE2aEoNzgnrAb5qAOsB3/+T+AIAAOsD6vYlhcBzA6lVQQ+EwwwAAOkvCgAAkOsD8zZ+90YICAAAAHMBdQ+EDQUAAOnPDgAAkOsD2gWAi3UI6wIdT4sG6wLEhIvQ6wHnweIV6wOBP3wzwnKfi9DrA2eD7sHKA+sDoIePM8JypIvQ6wFwweIE6wLyijPCcQG2iQbrA2Kj/oPgA3BUD4UjDQAA6wO9vHpe6wPpHJNf6wGjXesCvRPCDADrAqHzi8PrAj18K0UY6wPIhnHpJQ4AAOsCxU5mi0X06wEuZgkHcwOiDnTpNAIAAOsByolF+OsDa4rYi10c6wEji30Y6wEoi3UQ6wPdDWcPt00I6wIqsItVIOsDomzYiU386wF/0wrrAi4w6bj8///rAoIfM8B+AhJCX+sBtl7rAR1b6wHAi+XrARhd6wE6whgA6wMbntuLRRTrAt6aaOMTtB3rAgNQagDrAshq/5D4AgAA6wK8u+lJCQAA6wMwnROLRRTrAbtoxbFmLesBFGoA6wMV+0P/kPgCAADrA7sqtotVFOsC3WdQ6wEPU+sD6iYf/5KkAQAA6wF2i0UU6wODq69T6wO5jmH/kBQBAADrAgNdi8vrAy65841cAwHrAXGLwesCmjaLVfjrAjCQiYJ1b9gA6wKDSunICAAA6wNoAbqD+APrA8iHGA+EwPb//+nbAgAA6wMzgnqLgxgBAADrAdmLFusCBfmJUATrAoFJxwAEAAAA6wJpKcdACAAAAADrAYyDgxgBAAAM6wF7X+sBKF7rA7qTUVvrAy1hGYvl6wFoXesBNsPrAXCLRgTrA9wdEoP4COsDgekRD4MpCwAA6Q4BAACQ6wKjgFXrA7zjD4vs6wNoPVCD7AjrA2k98VPrAXxW6wH2V+sBjIt1COsDiKCGi97rA8aHUgN2POsBMotGeOsCuNyLVnzrARuJVfjrAjUqjTQY6wO7PKqJdfzrAXsPt0UQ6wPIuk87RhjrA7i+MA+DUvX//+n38///6wIRfItFFOsCCIyLkBQBAADrA+oh/IkX6wKgF+mKCgAA6wIYVIPHDusDjJJl/0386wIbbQ+FnQkAAOlF9v//kOsBt+ly9P//6wH3VesCmvWL7OsBLYPsDOsDgBTxV+sByFPrAxpUrlbrAjCpi10I6wEJi3UM6wO+3tmLQwzrAt2xhcBzAS0PhPj1///p6/T//+sCaNuD+ADrAr3kD4R4CAAA6cf1//+Q6wERi0UU6wEiaKQahtDrA7wjDGoA6wO9GNj/kPgCAADrASjp9gYAAOsC2CyD+ATrAb0PhcsJAADpH////5DrAQyLVgTrAoGnA5N4AQAA6wILm1LrAtGg/3X46wFm/5NQAgAA6wO8oJSFwHMDa3BvD4UbAAAA6R8BAACQ6wMgntSJB+sDhaD66cn1///rAsI/iQbrAqPb6Xfz///rA5rliV/rA9ij8l7rAxijtVvrAYyL5esCKn1d6wIIaMIgAOsDPZ1ig8co6wLCyknrAwWrkg+FcQEAAOlR9///kOsC6TiL++sB6wN/POsCKBUPt1cU6wOJjYQPt08G6wEJjXwXGOsDmjRLK8PrARrpOAEAAOsDjYxlVusDyAtwUusDg0bu/3cE6wIDnv8z6wJn4Oiy/f//hcBxA2KEhg+Fa/X//+kE9///6wPcjvWD+AfrA4FDJg+E0wIAAOmTBQAAkOsBFVXrA2t9CYvs6wGLV+sCwdtT6wMmyHCLXQjrA4aePItFDOsBujvD6wM1RgcPhpv2///pSv///+sB6jlGDOsCZAoPhV8GAADp5f7//5DrA/93BOsCA57/M+sCZ+Dosv1aAv+F
----- END SNIP -----

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  75A6E070 KernelBase.dll           VirtualAlloc +0x40

2  01813AC9 (anonymous; Resonic.exe)
            eb03                     JMP          0x1813ace

3  015AA536 Resonic.exe           
4  01596CB5 Resonic.exe           

Loaded Modules (72)
-----------------------------------------------------------------------------
00400000-015AB000 Resonic.exe (),
                  version:
771E0000-7739A000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.26100.2605 (WinBuild.160101.0800)
76D60000-76E50000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
73F70000-740B4000 hmpalert.dll (Sophos B.V.),
                  version: 3.8.26.983
75920000-75BB9000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.26100.2605 (WinBuild.160101.0800)
75E10000-75FD2000 user32.dll (Microsoft Corporation),
                  version: 10.0.26100.2605 (WinBuild.160101.0800)
76EF0000-76F0A000 win32u.dll (Microsoft Corporation),
                  version: 10.0.26100.2161 (WinBuild.160101.0800)
76FF0000-77012000 GDI32.dll (Microsoft Corporation),
                  version: 10.0.26100.2033 (WinBuild.160101.0800)
75C60000-75D4B000 gdi32full.dll (Microsoft Corporation),
                  version: 10.0.26100.2605 (WinBuild.160101.0800)
75710000-75795000 msvcp_win.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
76390000-764A0000 ucrtbase.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
76300000-7637F000 advapi32.dll (Microsoft Corporation),
                  version: 10.0.26100.2033 (WinBuild.160101.0800)
764E0000-765A7000 msvcrt.dll (Microsoft Corporation),
                  version: 7.0.26100.1882 (WinBuild.160101.0800)
76E60000-76EE3000 sechost.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
770A0000-77159000 RPCRT4.dll (Microsoft Corporation),
                  version: 10.0.26100.268 (WinBuild.160101.0800)
72DC0000-72FE7000 comctl32.dll (Microsoft Corporation),
                  version: 6.10 (WinBuild.160101.0800)
764B0000-764D5000 IMM32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
77160000-771C6000 wintrust.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
75600000-75707000 CRYPT32.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
74630000-7463E000 MSASN1.dll (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
74550000-74565000 CRYPTSP.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
74510000-74541000 rsaenh.dll (Microsoft Corporation),
                  version: 10.0.26100.1301 (WinBuild.160101.0800)
74690000-7469B000 CRYPTBASE.dll (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
76F10000-76F79000 bcryptPrimitives.dll (Microsoft Corporation),
                  version: 10.0.26100.2033 (WinBuild.160101.0800)
74F40000-74F5B000 imagehlp.dll (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
744F0000-7450A000 bcrypt.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
744C0000-744E0000 gpapi.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
6F750000-6F77B000 cryptnet.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
74330000-74355000 IPHLPAPI.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
741E0000-741EA000 WINNSI.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
75910000-75917000 NSI.dll (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
73EB0000-73F32000 uxtheme.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
76A80000-76CFE000 combase.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
74E20000-74F37000 MSCTF.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
76620000-76A6F000 SETUPAPI.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
74DD0000-74DE9000 MPR.DLL (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
74DF0000-74E05000 NETAPI32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
74650000-74658000 VERSION.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
6C6B0000-6C741000 WINSPOOL.DRV (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
75D50000-75E0C000 shcore.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
6C930000-6C979000 cfgmgr32.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
73F40000-73F65000 DWMAPI.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
73D50000-73D56000 MSIMG32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
74F60000-75547000 SHELL32.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
733E0000-733E6000 SHFOLDER.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
73D80000-73DB3000 WINMM.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
761A0000-762F5000 OLE32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
75550000-755EE000 OLEAUT32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
6C640000-6C6A0000 OLEACC.DLL (Microsoft Corporation),
                  version: 7.2.26100.2454 (WinBuild.160101.0800)
6C170000-6C2DA000 GDIPLUS.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
76D10000-76D5B000 SHLWAPI.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
744A0000-744AF000 WTSAPI32.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
6BCD0000-6BEAE000 WINDOWSCODECS.DLL (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
77090000-77096000 PSAPI.DLL (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
71E10000-71E67000 BASS.DLL (Un4seen Developments),
                  version: 2.4.14
73A00000-73A1A000 MSACM32.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
73480000-7348C000 BASSMIX.DLL (Un4seen Developments),
                  version: 2.4.8
71E80000-71E8D000 BASSCD.DLL (Un4seen Developments),
                  version: 2.4.6
6ACF0000-6AD6D000 BASSMIDI.DLL (Un4seen Developments),
                  version: 2.4.12
65680000-65880000 RESONICMETA.DLL (),
                  version:
746D0000-74D82000 windows.storage.dll (Microsoft Corporation),
                  version: 10.0.26100.2605 (WinBuild.160101.0800)
746A0000-746C1000 profapi.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
741B0000-741DB000 SspiCli.dll (Microsoft Corporation),
                  version: 10.0.26100.2454 (WinBuild.160101.0800)
6AC70000-6ACE2000 RESONICDSP.DLL (),
                  version:
651A0000-653A9000 RESONICLIB.DLL (),
                  version:
6F580000-6F723000 URLMON.DLL (Microsoft Corporation),
                  version: 11.00.26100.1882 (WinBuild.160101.0800)
6F2C0000-6F504000 iertutil.dll (Microsoft Corporation),
                  version: 11.00.26100.2454 (WinBuild.160101.0800)
74DA0000-74DBE000 srvcli.dll (Microsoft Corporation),
                  version: 10.0.26100.1 (WinBuild.160101.0800)
74D90000-74D9B000 netutils.dll (Microsoft Corporation),
                  version: 10.0.26100.1882 (WinBuild.160101.0800)
64FB0000-6518F000 DBGHELP.DLL (Microsoft Corporation),
                  version: 10.0.26100.2033 (WinBuild.160101.0800)
6C9A0000-6C9AA000 BASSWASAPI.DLL (Un4seen Developments),
                  version: 2.4.2
728B0000-72ACB000 WININET.DLL (Microsoft Corporation),
                  version: 11.00.26100.2454 (WinBuild.160101.0800)

Process Trace
1  C:\Program Files (x86)\Liqube\Resonic Player Beta\Resonic.exe [11492]
2  C:\Windows\SysWOW64\msiexec.exe [35124]
   C:\Windows\syswow64\MsiExec.exe -Embedding 38F49F999CC94212A43EFC1BF0FBFCF2 C
3  C:\Windows\System32\msiexec.exe [6600]
4  C:\Windows\System32\services.exe [1396]
5  C:\Windows\System32\wininit.exe [1984]
   wininit.exe

Services
6600  msiserver

Dropped Files
1  C:\System Volume Information\SPP\snapshot-2
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
2  C:\System Volume Information\SPP\OnlineMetadataCache\{55a5f528-459e-4d64-a633-6b5292ebbe28}_OnDiskSnapshotProp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
3  C:\System Volume Information\SPP\metadata-2
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
4  C:\WINDOWS\Installer\593fe036.msi
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\System32\consent.exe [29852]
                \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
5  C:\WINDOWS\Installer\inprogressinstallinfo.ipi
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
6  C:\WINDOWS\SystemTemp\~DF13542979A47F3C4D.TMP
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
7  C:\WINDOWS\Installer\SourceHash{E92483C7-34E3-49B5-BE12-4CC923A018E6}
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
8  C:\WINDOWS\SystemTemp\~DFC4B7FA87608F3621.TMP
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
9  C:\WINDOWS\Installer\MSIE8A2.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
10 C:\Config.Msi\CMPE92F.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
11 C:\Config.Msi\593fe037.rbs
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
12 C:\WINDOWS\Installer\{E92483C7-34E3-49B5-BE12-4CC923A018E6}\ProductIcon.exe
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
13 C:\Users\Public\Desktop\Resonic Player Beta.lnk
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\explorer.exe [9764]
14 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Resonic Player Beta\Resonic Player Beta.lnk
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
        Read by \Device\HarddiskVolume3\Windows\explorer.exe [9764]
15 C:\WINDOWS\Installer\593fe038.msi
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
16 C:\Config.Msi\CMPEB42.tmp
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]
17 C:\WINDOWS\SystemTemp\~DFEA12EF97E866D07F.TMP
     Dropped by \Device\HarddiskVolume3\Windows\System32\msiexec.exe [6600]

Thumbprints
3206186b4cab1667e27968416a1a24e8f86e054ac7e9ce549bbe6f1fd54c1c8f (code)
ff675957bb64461b7c0a7be5be814979c4c9f5739cc8b552b0e88b628d6c7c1b (ownermodule)
7613c3f866f743051b3aedd5d312d9acaa2f30951025bddda09fb881b90d9af4 (pfn)
     
    Last edited: Dec 30, 2024
    erakura, Dec 29, 2024
    #2283
  9. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    410
    Location:
    Finland
    @RonnyT
    I reported this "false positive" two times to Sophos, but they just does not care, especially Home Users, which is really, really sad. They don't even want to fix(home users that is). Its kinda crazy that Home Users uses old version of hmpa, while EDR solution gets the newest one.
     
    moredhelfinland, Dec 30, 2024
    #2284
  10. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    410
    Location:
    Finland
    @erakura
    Reported the same, two times, the latest was one year ago.
     
    moredhelfinland, Dec 30, 2024
    #2285
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    714
    Location:
    Planet Earth
    We've made a code-change in build 2017 so the user is able to suppress the alert (there was a certain case a thumbprint wasn't generated).
    Not sure how (and if) that works on Home Premium though.
     
    RonnyT, Feb 21, 2025
    #2286
  12. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    714
    Location:
    Planet Earth
    HitmanPro.Alert 3.20.2 Build 2019 RC1

    Changelog (compared to 983)
    • Fixed Autoruns BSOD
    • Fixed Driver BSOD
    • Fixed CryptoGuard5 Memory leaks
    • Fixed CobaltStrike Double messages in report when in audit mode
    • Fixed SyscallX64 Added caching to prevent hickups during play when using Chromium browser streams (e.g. Netflix / Prime).
    • Improved APCProtection Windows 11 support
    • Improved CobaltStrike Add support for WinHttp based beacons
    • Improved SyscallX86 Detection and alerting/reporting/suppression options
    • Improved SyscallX64 Added protection against Ekko/Foliage/KrakenMask
    • Improved C2Interceptor Added generic stager detection
    • Improved PipeWorker Security restrictions
    • Improved AmsiGuard Added protection for remote processes
    • Improved LBR Added newer CPU's: Tiger Lake, Rocket Lake
    • Improved CookieGuard Support for Chrome's new "Device Bound Session Credentials"
    • Improved Excalibur Code handling of rapid alerts/reports
    • Improved AlertProducer Added a rate limiter for repeating alerts - WARNING: Last Alert due to flood! added to eventlog
    • Improved Selfprotection and alerting logic
    • Improved KernelTrap32 added multiple API's
    • Improved HollowProcess logic for PEB protection
    • Improved CallerCheck thumbprinting for local allow-listing
    https://dl.surfright.nl/hmpalert3b2019.exe

    We'll switch on auto-update for existing 2017 users, if all goes well we'll be updating 983 users soon after that in staged roll-out.

    Please let us know how this version runs on your machine :thumb:
     
    RonnyT, Feb 27, 2025
    #2287
  13. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,295
    Auto-updated to HitmanPro.Alert 3.20.2 Build 2019 RC1. No problems.
     
    deugniet, Feb 27, 2025
    #2288
Page 92 of 92
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...