This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event id 911

Hello their.

Received attack or at least a report from hmpalert.

What is going on. Should I be worried.

Below this report.

 

Greetings,

 

 

Mitigation ROP
Timestamp 2020-04-28T12:41:20

Platform 10.0.18363/x64 v795 06_9e
PID 6004
Feature 001F1A341FBFB1A6
Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created 2020-04-23T19:40:52
Modified 2020-04-23T03:14:02
Description Microsoft Edge 81

Callee Type AllocateVirtualMemory
0x000023C665F76000 (4096 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
0x00007FFE97EE76C6 msedge.dll RET 0x00007FFE93343EF0 msedge.dll ^001B

0x00007FFE910E18EF msedge.dll RET 0x00007FFE9334441A msedge.dll ^0016

0x00007FFE9119F0A3 msedge.dll RET 0x00007FFE9334425D msedge.dll ^0040

0x00007FFE910E18EF msedge.dll ~ RET* 0x00007FFE93BD7876 msedge.dll ^0172
41b940000000 MOV R9D, 0x40
ebb2 JMP 0x7ffe93bd7830


Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFEDB3F2238 KernelBase.dll VirtualAlloc +0x48

2 00007FFE93BD783C msedge.dll
4885c0 TEST RAX, RAX
0f95c0 SETNZ AL
4883c428 ADD RSP, 0x28
c3 RET

3 00007FFE931B633B msedge.dll
4 00007FFE931B5DCE msedge.dll
5 00007FFE931B9027 msedge.dll
6 00007FFE9319A56C msedge.dll
7 00007FFE93196387 msedge.dll
8 00007FFE91184971 msedge.dll
9 00007FFE91187F0E msedge.dll
10 00007FFE911876F7 msedge.dll

Loaded Modules
-----------------------------------------------------------------------------
00007FF7140F0000-00007FF7143A4000 msedge.exe (Microsoft Corporation),
version: 81.0.416.64
00007FFEDDA20000-00007FFEDDC10000 ntdll.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEDCEF0000-00007FFEDCFA2000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEDA5C0000-00007FFEDA6D8000 hmpalert.dll (SurfRight B.V.),
version: 3.7.13.795
00007FFEDB390000-00007FFEDB633000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEB04D0000-00007FFEB05C8000 msedge_elf.dll (Microsoft Corporation),
version: 81.0.416.64
00007FFEDB640000-00007FFEDB6C0000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.18362.295 (WinBuild.160101.0800)
00007FFEDC6C0000-00007FFEDC763000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.18362.752 (WinBuild.160101.0800)
00007FFEDD200000-00007FFEDD29E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.18362.1 (WinBuild.160101.0800)
00007FFEDD940000-00007FFEDD9D7000 sechost.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
0000016451660000-0000016451780000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.18362.628 (WinBuild.160101.0800)
00007FFE910E0000-00007FFE99A90000 msedge.dll (Microsoft Corporation),
version: 81.0.416.64
00007FFEDD660000-00007FFEDD6CF000 WS2_32.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDC380000-00007FFEDC444000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDBA30000-00007FFEDBACE000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDAA10000-00007FFEDAB0A000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDD2A0000-00007FFEDD5D6000 combase.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDA9B0000-00007FFEDAA0C000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDA990000-00007FFEDA9A2000 MSASN1.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB6C0000-00007FFEDB809000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.18362.592 (WinBuild.160101.0800)
00007FFED9CE0000-00007FFED9D1A000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFED8770000-00007FFED8794000 WINMM.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEC7FA0000-00007FFEC7FAC000 Secur32.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDA800000-00007FFEDA825000 USERENV.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDA960000-00007FFEDA983000 profapi.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEBC060000-00007FFEBC2D0000 UIAutomationCore.DLL (Microsoft Corporation),
version: 7.2.18362.693 (WinBuild.160101.0800)
00007FFECDC90000-00007FFECDD80000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEC99F0000-00007FFEC9CEE000 DWrite.dll (Microsoft Corporation),
version: 10.0.18362.476 (WinBuild.160101.0800)
00007FFECCA60000-00007FFECCAE9000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDA940000-00007FFEDA951000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB860000-00007FFEDB886000 bcrypt.dll (Microsoft Corporation),
version: 10.0.18362.267 (WinBuild.160101.0800)
00007FFEC2490000-00007FFEC2684000 dbghelp.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFED3B10000-00007FFED3B2C000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.18362.267 (WinBuild.160101.0800)
00007FFEDBB30000-00007FFEDBB38000 NSI.dll (Microsoft Corporation),
version: 10.0.18362.449 (WinBuild.160101.0800)
00007FFED8710000-00007FFED873D000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB810000-00007FFEDB85A000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFED7180000-00007FFED726F000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.18362.267 (WinBuild.160101.0800)
00007FFEDD890000-00007FFEDD939000 shcore.dll (Microsoft Corporation),
version: 10.0.18362.752 (WinBuild.160101.0800)
00007FFEDA7D0000-00007FFEDA7FF000 SSPICLI.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDA1A0000-00007FFEDA1AC000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)

Code Injection
0000016450962000-0000016450963000 4KB C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476]
00007FFEDDABC000-00007FFEDDABD000 4KB
00007FFEDDABE000-00007FFEDDABF000 4KB
1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476] 2020-04-28T12:41:13
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session --flag-switches-begin --flag-switches-end --enable-audio-service-sand
2 C:\Windows\explorer.exe [3164] 2020-04-28T12:40:47
3 C:\Windows\System32\userinit.exe [10208] 2020-04-28T12:40:47 23.2s
4 C:\Windows\System32\winlogon.exe [4804] 2020-04-28T10:42:27
C:\Windows\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [11720] 2020-04-28T10:42:27 88ms
\SystemRoot\System32\smss.exe 000000ec 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [452] 2020-04-27T20:07:20
\SystemRoot\System32\smss.exe
7 [4] 2020-04-27T20:07:20

Process Trace
1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [6004] 2020-04-28T12:41:15
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13357292668346598227,2028400008063833005,131072 --lang=nl --extension-process --disable-client-side-phishing-detection --enable-auto-reload --device-sc
2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476] 2020-04-28T12:41:13
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session --flag-switches-begin --flag-switches-end --enable-audio-service-sand
3 C:\Windows\explorer.exe [3164] 2020-04-28T12:40:47
4 C:\Windows\System32\userinit.exe [10208] 2020-04-28T12:40:47 23.2s
5 C:\Windows\System32\winlogon.exe [4804] 2020-04-28T10:42:27
C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [11720] 2020-04-28T10:42:27 88ms
\SystemRoot\System32\smss.exe 000000ec 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [452] 2020-04-27T20:07:20
\SystemRoot\System32\smss.exe
8 [4] 2020-04-27T20:07:20

Thumbprint
46f9ba42de5fc58d43cf2f1042f6e197a435edbeacd284302f54bf9f3246de19



This thread was automatically locked due to age.