HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

Page 86 of 86
  1. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    221
    Location:
    Canada
    I have been receiving another alert, this time while using Excel. Every time it is triggered, HMP.A closes Excel on me and I lose some of my work. It has happened twice, so far.

    Code:
    Mitigation   SendKeysGuard
Timestamp    2023-05-22T20:39:02

Platform     10.0.19045/x64 v957 06_2a%
PID          27816
WoW          x86
Feature      007DCA361FBF01B6
Application  C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Created      2023-05-11T20:24:57
Description  Microsoft Excel 16

Events:

  | #| VK | SC |  FLAG  |
  |--|----|----|--------|
  | 0|0014|003A|00000000|
  | 1|0014|003A|00000002|

Ascii:

  [14]


Loaded Modules (199)
-----------------------------------------------------------------------------
772B0000-77454000 ntdll.dll (Microsoft Corporation),
                  version: 10.0.19041.2965 (WinBuild.160101.0800)
75270000-75360000 KERNEL32.dll (Microsoft Corporation),
                  version: 10.0.19041.2913 (WinBuild.160101.0800)
74380000-744A3000 hmpalert.dll (Sophos B.V.),
                  version: 3.8.24.957
75AA0000-75CDA000 KERNELBASE.dll (Microsoft Corporation),
                  version: 10.0.19041.2965 (WinBuild.160101.0800)
75010000-750CA000 guard32.dll (COMODO),
                  version: 12, 2, 2, 8012
742E0000-7437F000 0patchLoader.dll (Acros Security),
                  version: 22.11.11.10550
73210000-7321D000 UMPDC.dll (),
                  version:
622A0000-62365000 nvldumd.dll (NVIDIA Corporation),
                  version: 23.21.13.9135
5EE40000-60611000 nvwgf2um.dll (NVIDIA Corporation),
                  version: 23.21.13.9135
72F80000-73014000 TextShaping.dll (),
                  version:
- MS skipped (189) -

Process Trace
1  C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
   "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "D:\Users\XXX\Desktop\My Diet.xlsx"
2  C:\Windows\explorer.exe [7680]

Dropped Files
1  C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
2  C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet.xlsx (2).LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
3  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T947OTPJOM7NOPJFMOZF.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
4  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f0e.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
5  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B39NRKD6S83XX2AB8SU.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
6  C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f24f6c.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
7  C:\Users\XXX\AppData\Roaming\Microsoft\Excel\~$My Diet (version 1).xlsb
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
8  D:\Users\XXX\Desktop\My Diet(AutoRecovered).xlsx
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
9  C:\Users\XXX\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\Excel\ARc0YzBjZGY0YjI4ZjhlYTQ2X0xpdmVJZAM.S
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
10 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
11 D:\Users\XXX\Desktop\~$My Diet(AutoRecovered).xlsx
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
12 D:\Users\XXX\Desktop\17C2F830
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
        Read by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
                \Device\HarddiskVolume2\Windows\explorer.exe [7680]
13 C:\Users\XXX\AppData\Roaming\Microsoft\Office\Recent\My Diet(AutoRecovered).xlsx.LNK
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
14 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QI00596HELEQ6W8DUJPF.temp
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]
15 C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF38f2f224.TMP
     Dropped by \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [27816]

Thumbprints
a7a48dac3aab8cbec451808d9f4bf0402afe85c38186d96ec1e9c99b0aa26e5c (pfn)
     
    Last edited: May 23, 2023
    HempOil, May 23, 2023
    #2126
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    473
    Location:
    Planet Earth
    It seems it failed to validate the dll "Certhash could not be obtained for owner-module" this happens sometimes during upgrades of the browser, for some reason Windows cannot determine the code-sign state of that file.
    And we hard fail on that. After a reboot it seems Windows resolves from this failure and all should be fine (whitelisting also works).
     
    RonnyT, May 25, 2023
    #2127
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    473
    Location:
    Planet Earth
    That's an interesting one, any specific action you can trigger this on?
    It seems to be some CAPSLOCK signal send via SendKeys command that got caught.

    Are you using macro(s) in this one?
    Does it happen on different Excel files/sheets, and do you have any add-ons installed?
     
    RonnyT, May 25, 2023
    #2128
  4. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    221
    Location:
    Canada
    Hi Ronny,

    I just opened a vanilla Excel spreadsheet and started typing in data. There should not be any macros or add-ons involved. The alerts popped up a couple of times, seemingly randomly while I was working on it. I will continue populating it and let you know if any further alerts are triggered.

    Thanks for the feedback.
     
    HempOil, May 25, 2023
    #2129
  5. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    221
    Location:
    Canada
    This makes sense. Chrome was trying to update at the time.
     
    HempOil, May 25, 2023
    #2130
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    16,776
    Location:
    The Netherlands
    What is this SendKeysGuard feature about anyway?
     
    Rasheed187, May 27, 2023 at 8:32 AM
    #2131
Page 86 of 86
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...