Event id 911

Hello their.

Received attack or at least a report from hmpalert.

What is going on. Should I be worried.

Below this report.

 

Greetings,

 

 

Mitigation ROP
Timestamp 2020-04-28T12:41:20

Platform 10.0.18363/x64 v795 06_9e
PID 6004
Feature 001F1A341FBFB1A6
Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created 2020-04-23T19:40:52
Modified 2020-04-23T03:14:02
Description Microsoft Edge 81

Callee Type AllocateVirtualMemory
0x000023C665F76000 (4096 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
0x00007FFE97EE76C6 msedge.dll RET 0x00007FFE93343EF0 msedge.dll ^001B

0x00007FFE910E18EF msedge.dll RET 0x00007FFE9334441A msedge.dll ^0016

0x00007FFE9119F0A3 msedge.dll RET 0x00007FFE9334425D msedge.dll ^0040

0x00007FFE910E18EF msedge.dll ~ RET* 0x00007FFE93BD7876 msedge.dll ^0172
41b940000000 MOV R9D, 0x40
ebb2 JMP 0x7ffe93bd7830


Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFEDB3F2238 KernelBase.dll VirtualAlloc +0x48

2 00007FFE93BD783C msedge.dll
4885c0 TEST RAX, RAX
0f95c0 SETNZ AL
4883c428 ADD RSP, 0x28
c3 RET

3 00007FFE931B633B msedge.dll
4 00007FFE931B5DCE msedge.dll
5 00007FFE931B9027 msedge.dll
6 00007FFE9319A56C msedge.dll
7 00007FFE93196387 msedge.dll
8 00007FFE91184971 msedge.dll
9 00007FFE91187F0E msedge.dll
10 00007FFE911876F7 msedge.dll

Loaded Modules
-----------------------------------------------------------------------------
00007FF7140F0000-00007FF7143A4000 msedge.exe (Microsoft Corporation),
version: 81.0.416.64
00007FFEDDA20000-00007FFEDDC10000 ntdll.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEDCEF0000-00007FFEDCFA2000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEDA5C0000-00007FFEDA6D8000 hmpalert.dll (SurfRight B.V.),
version: 3.7.13.795
00007FFEDB390000-00007FFEDB633000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEB04D0000-00007FFEB05C8000 msedge_elf.dll (Microsoft Corporation),
version: 81.0.416.64
00007FFEDB640000-00007FFEDB6C0000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.18362.295 (WinBuild.160101.0800)
00007FFEDC6C0000-00007FFEDC763000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.18362.752 (WinBuild.160101.0800)
00007FFEDD200000-00007FFEDD29E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.18362.1 (WinBuild.160101.0800)
00007FFEDD940000-00007FFEDD9D7000 sechost.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
0000016451660000-0000016451780000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.18362.628 (WinBuild.160101.0800)
00007FFE910E0000-00007FFE99A90000 msedge.dll (Microsoft Corporation),
version: 81.0.416.64
00007FFEDD660000-00007FFEDD6CF000 WS2_32.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDC380000-00007FFEDC444000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDBA30000-00007FFEDBACE000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDAA10000-00007FFEDAB0A000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDD2A0000-00007FFEDD5D6000 combase.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDA9B0000-00007FFEDAA0C000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDA990000-00007FFEDA9A2000 MSASN1.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB6C0000-00007FFEDB809000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.18362.592 (WinBuild.160101.0800)
00007FFED9CE0000-00007FFED9D1A000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFED8770000-00007FFED8794000 WINMM.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEC7FA0000-00007FFEC7FAC000 Secur32.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDA800000-00007FFEDA825000 USERENV.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFEDA960000-00007FFEDA983000 profapi.dll (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEBC060000-00007FFEBC2D0000 UIAutomationCore.DLL (Microsoft Corporation),
version: 7.2.18362.693 (WinBuild.160101.0800)
00007FFECDC90000-00007FFECDD80000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.18362.778 (WinBuild.160101.0800)
00007FFEC99F0000-00007FFEC9CEE000 DWrite.dll (Microsoft Corporation),
version: 10.0.18362.476 (WinBuild.160101.0800)
00007FFECCA60000-00007FFECCAE9000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.18362.693 (WinBuild.160101.0800)
00007FFEDA940000-00007FFEDA951000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB860000-00007FFEDB886000 bcrypt.dll (Microsoft Corporation),
version: 10.0.18362.267 (WinBuild.160101.0800)
00007FFEC2490000-00007FFEC2684000 dbghelp.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFED3B10000-00007FFED3B2C000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.18362.267 (WinBuild.160101.0800)
00007FFEDBB30000-00007FFEDBB38000 NSI.dll (Microsoft Corporation),
version: 10.0.18362.449 (WinBuild.160101.0800)
00007FFED8710000-00007FFED873D000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDB810000-00007FFEDB85A000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.18362.387 (WinBuild.160101.0800)
00007FFED7180000-00007FFED726F000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.18362.267 (WinBuild.160101.0800)
00007FFEDD890000-00007FFEDD939000 shcore.dll (Microsoft Corporation),
version: 10.0.18362.752 (WinBuild.160101.0800)
00007FFEDA7D0000-00007FFEDA7FF000 SSPICLI.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)
00007FFEDA1A0000-00007FFEDA1AC000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.18362.1 (WinBuild.160101.0800)

Code Injection
0000016450962000-0000016450963000 4KB C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476]
00007FFEDDABC000-00007FFEDDABD000 4KB
00007FFEDDABE000-00007FFEDDABF000 4KB
1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476] 2020-04-28T12:41:13
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session --flag-switches-begin --flag-switches-end --enable-audio-service-sand
2 C:\Windows\explorer.exe [3164] 2020-04-28T12:40:47
3 C:\Windows\System32\userinit.exe [10208] 2020-04-28T12:40:47 23.2s
4 C:\Windows\System32\winlogon.exe [4804] 2020-04-28T10:42:27
C:\Windows\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [11720] 2020-04-28T10:42:27 88ms
\SystemRoot\System32\smss.exe 000000ec 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [452] 2020-04-27T20:07:20
\SystemRoot\System32\smss.exe
7 [4] 2020-04-27T20:07:20

Process Trace
1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [6004] 2020-04-28T12:41:15
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13357292668346598227,2028400008063833005,131072 --lang=nl --extension-process --disable-client-side-phishing-detection --enable-auto-reload --device-sc
2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [3476] 2020-04-28T12:41:13
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session --flag-switches-begin --flag-switches-end --enable-audio-service-sand
3 C:\Windows\explorer.exe [3164] 2020-04-28T12:40:47
4 C:\Windows\System32\userinit.exe [10208] 2020-04-28T12:40:47 23.2s
5 C:\Windows\System32\winlogon.exe [4804] 2020-04-28T10:42:27
C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [11720] 2020-04-28T10:42:27 88ms
\SystemRoot\System32\smss.exe 000000ec 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [452] 2020-04-27T20:07:20
\SystemRoot\System32\smss.exe
8 [4] 2020-04-27T20:07:20

Thumbprint
46f9ba42de5fc58d43cf2f1042f6e197a435edbeacd284302f54bf9f3246de19

  • Hi  

    This might be a false positive or legitimate alert as well. There might be multiple alerts related to this event in the event viewer.

    I'd suggest you collect the SDU logs from the machine and upload it to the Sophos support case if you have created here.

  • Hello  

    You may also opt to install the Intercept X cumulative hotfix (please read through the linked article prior to installing). If the detection still occurs after this is installed, then you may collect as much information (such as ways to reproduce the detection), and SDU logs, and start a ticket with Support, as mentioned by  .