HitmanPro.ALERT Support and Discussion Thread

Yep, 52 entries in the event log from open to crash (didn't register with DCOM and ntdll.dll issues)

 

Did a clean install to troubleshoot a problem with another program that I fixed at BIOS level, seems now work with also CFG on a clean install, I guess if all those updates one next another last few weeks ended broke something...

Anyway, let's start again to see if instead is some incompatiblity with some other program causing issues.

Right now works flawlessy...

 

False positive alarm again at Firefox 61.0.1 (64 bites) (HitmanPro.Alert v.3.7.8 build 750). Newest HitmanPro, Emsisoft Emergency Kit, Malwarebytes Anti-Malware and Dr.Web Cure It is found nothing.

 

@jd97 you can try same solution I tried, and disabled CFG, the problem reappeared again after a clean format and upgrade to latest 17134.191,

at this point, is or some software I installed between clean format, or the latest update of Windows creating interference with HitmanPro.ALERT under some conditions, because I have a laptop with a similar security setup, and on that never happened.

 

I would like white list, because I would like to use all NirSoft utilities. This is a serious mistake for HitmanPro.Alert.

 

Huh? Not understanding this. I use NirSoft utilities and never had a conflict with HMPA.

 

Here you are!

 

Turning off the Real-Time Anti-Malware feature is the only solution at the moment (before running such tools)

 

Yes, but not the best solution.

 

That 'AdvancedRun' is one that I have never tried (and he has so many!). But just launching it with default settings did not trigger HMPA for me, so I presume that how you have configured it must appear suspicious to the anti-malware module.

You will probably need to follow Mood's advice if you wish to run system tools like that one.

 

In my opinion no. The white list is more elegant and safer than the function reduction.

 

Hello @erikloman , @markloman and @RonnyT ,

I would like to report a probable false positive that started this morning.

Spoiler: ROP example 1

Log Name: Application
Source: HitmanPro.Alert
Date: 08/07/18 12:37:20
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell-XPS-8920
Description:
Mitigation ROP

Platform 10.0.17134/x64 v750 06_9e
PID 7620
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Callee Type LoadLibrary
SHLWAPI.dll

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x58AE0A6F ebehmoni.dll ~ RET* 0x58AFC01B ebehmoni.dll ^0001
8da42408000000 LEA ESP, [ESP+0x8]
5a POP EDX
59 POP ECX
58 POP EAX
9d POPF
8da42428000000 LEA ESP, [ESP+0x28]
f0832d90443c0201 LOCK SUB DWORD [0x23c4490], 0x1
50 PUSH EAX
8b442404 MOV EAX, [ESP+0x4]
64a300000000 MOV [FS:0x0], EAX
58 POP EAX
8da4240c000000 LEA ESP, [ESP+0xc]
ff2508c1af58 JMP DWORD [0x58afc108]
(59B431D3FA9D93C5)


0x58AE0D12 ebehmoni.dll RET 0x58AE0A6E ebehmoni.dll ^0014

0x58AE2607 ebehmoni.dll RET 0x58AE0C1B ebehmoni.dll ^00BD

0x58AE8B82 ebehmoni.dll RET 0x58AE0BEE ebehmoni.dll ^00ED

0x58AE8B0B ebehmoni.dll RET 0x58AFBFAF ebehmoni.dll ^0050

0x58AE0D63 ebehmoni.dll RET 0x58AFBF75 ebehmoni.dll ^0004

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75FF00E8 KernelBase.dll LoadLibraryExW +0x148
2 75FEE756 KernelBase.dll LoadLibraryExA +0x26

3 739A5CF5 hmpalert.dll +0x65cf5
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI
754e JNZ 0x739a5d49
ff153c009c73 CALL DWORD [0x739c003c]
8b3d20119c73 MOV EDI, [0x739c1120]
8945ec MOV [EBP-0x14], EAX
85ff TEST EDI, EDI
7416 JZ 0x739a5d24
8d45cc LEA EAX, [EBP-0x34]
8bcf MOV ECX, EDI
50 PUSH EAX
6a03 PUSH 0x3
ff1564029c73 CALL DWORD [0x739c0264]
ffd7 CALL EDI
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI

4 739A6E9A hmpalert.dll +0x66e9a
5 7398394E hmpalert.dll +0x4394e
6 73986265 hmpalert.dll +0x46265
7 7397E052 hmpalert.dll +0x3e052
8 77268E50 ntdll.dll RtlUpdateTimer +0x1b0
9 771BDE07 ntdll.dll
10 771BCEE9 ntdll.dll

Loaded Modules
-----------------------------------------------------------------------------
00C70000-022F4000 MailClient.exe (eM Client s.r.o.),
version: 7.1.33101.0
77170000-77300000 ntdll.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
763B0000-76490000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CF80000-6CFD5000 MSCOREE.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75F00000-760E4000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
73940000-73A20000 hmpalert.dll (SurfRight B.V.),
version: 3.7.8.750
75C90000-75D08000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
764C0000-7657F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.17134.1 (WinBuild.160101.0800)
76650000-76694000 sechost.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
758C0000-75980000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73A30000-73A50000 SspiCli.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A20000-73A2A000 CRYPTBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75DC0000-75E18000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
58AD0000-58B4B000 ebehmoni.dll (ESET),
version: 1.0.15.0
75980000-75B0D000 USER32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73D10000-73D27000 win32u.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76490000-764B2000 GDI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
755B0000-75714000 gdi32full.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
76330000-763AD000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76F60000-7707E000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
766B0000-766D6000 IMM32.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A250000-6A2CD000 mscoreei.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73CC0000-73D05000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76D00000-76F5C000 combase.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
75170000-7517F000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73900000-73908000 VERSION.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
68E30000-6951F000 clr.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
68D30000-68E25000 MSVCR120_CLR0400.dll (Microsoft Corporation),
version: 12.00.52519.0 built by: VSWINSERVICING
679A0000-68D2F000 mscorlib.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
76230000-7632C000 ole32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
72BA0000-72C1C000 uxtheme.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738E0000-738F3000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738B0000-738DF000 rsaenh.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
72990000-729A9000 bcrypt.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
61030000-61A40000 System.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
6A850000-6A8BF000 MailClient.Mail.ni.dll (),
version: 7.1.33101.0
60F20000-61021000 HTMLEditorControl.ni.dll (),
version: 7.1.33101.0
6CEC0000-6CF08000 MailClient.Collections.ni.dll (),
version: 7.1.33101.0
5E9F0000-60F16000 MailClient.ni.exe (eM Client s.r.o.),
version: 7.1.33101.0
5E960000-5E9EE000 LinqBridge.ni.dll (),
version: 1.3.13216.2214
5E740000-5E953000 MailClient.Accounts.ni.dll (),
version: 7.1.33101.0
66D70000-66F04000 System.Drawing.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
66050000-66D6D000 System.Windows.Forms.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5E330000-5E738000 MailClient.Common.UI.ni.dll (),
version: 7.1.33101.0
5E2A0000-5E326000 MailClient.Storage.ni.dll (),
version: 7.1.33101.0
6CEB0000-6CEBA000 MailClient.Widget.ni.dll (),
version: 7.1.33101.0
5E200000-5E292000 MailClient.Avatar.ni.dll (),
version: 7.1.33101.0
6A840000-6A84D000 MailClient.Import.ni.dll (),
version: 7.1.33101.0
6A820000-6A834000 MailClient.Threading.ni.dll (),
version: 7.1.33101.0
5E1E0000-5E1F1000 MailClient.ErrorReporter.ni.dll (),
version: 7.1.33101.0
5E040000-5E1E0000 jabber-net.ni.dll (Cursive Systems, Inc.),
version: 7.1.33101.0
5DDF0000-5E032000 Xilium.CefGlue.ni.dll (),
version: 7.1.33101.0
6A810000-6A81D000 Microsoft.Experimental.IO.ni.dll (Microsoft Corporation),
version: 1.0.0.3
5DDB0000-5DDE6000 WinApi.ni.dll (),
version: 1.1.33101.0
5DDA0000-5DDA8000 MailClient.Interop.ni.dll (),
version: 7.1.33101.0
5DD50000-5DD91000 MailClient.Storage.Schedule.ni.dll (),
version: 7.1.33101.0
5DCB0000-5DD47000 MailClient.Schedule.ni.dll (),
version: 7.1.33101.0
5DC90000-5DCA5000 MailClient.Storage.Folders.ni.dll (),
version: 7.1.33101.0
5DC80000-5DC88000 MailClient.Attachment.ni.dll (),
version: 7.1.33101.0
541A0000-57E68000 libcef.DLL (),
version: 3.2623.1433.gb437111
76580000-76586000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75E20000-75EF6000 COMDLG32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A70000-73AF8000 shcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73D30000-7507A000 SHELL32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
760F0000-76129000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76740000-76CFA000 windows.storage.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
765E0000-765F8000 profapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76590000-765D5000 powrprof.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A50000-73A58000 FLTLIB.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76190000-76226000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.17134.48 (WinBuild.160101.0800)
73C50000-73CB7000 WS2_32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75720000-758B6000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
766A0000-766AE000 MSASN1.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5DC60000-5DC77000 USP10.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72B10000-72B7C000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
726D0000-728D4000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
728E0000-72990000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
73910000-73931000 USERENV.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72EE0000-7307C000 urlmon.dll (Microsoft Corporation),
version: 11.00.17134.191 (WinBuild.160101.0800)
73840000-73854000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A60000-73A67000 NSI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
736F0000-736FF000 WTSAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6AA20000-6AA76000 OLEACC.dll (Microsoft Corporation),
version: 7.2.17134.1 (WinBuild.160101.0800)
72AB0000-72AD4000 WINMM.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71B60000-71B6A000 Secur32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73880000-738B0000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72260000-723E0000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.17134.112 (WinBuild.160101.0800)
72C70000-72E95000 iertutil.dll (Microsoft Corporation),
version: 11.00.17134.165 (WinBuild.160101.0800)
729E0000-72A03000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
62FD0000-630F3000 System.Management.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
75080000-75103000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
62240000-6225E000 wmiutils.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CFE0000-6D04B000 wbemcomn.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71A80000-71A8D000 wbemprox.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
62260000-62281000 wminet_utils.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
67920000-679A0000 clrjit.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
71A70000-71A80000 wbemsvc.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A2D0000-6A393000 fastprox.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D480000-5DC60000 System.Core.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
65770000-6586C000 System.Configuration.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
65030000-6576E000 System.Xml.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
64FA0000-6502F000 comctl32.dll (Microsoft Corporation),
version: 5.82 (WinBuild.160101.0800)
72C20000-72C43000 dwmapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73B00000-73C44000 MSCTF.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
71350000-714BB000 gdiplus.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
5D3B0000-5D479000 System.Runtime.Remoting.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73740000-73796000 mswsock.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
63100000-631E8000 diasymreader.dll (Microsoft Corporation),
version: 14.7.3056.0 built by: NET472REL1
5D2A0000-5D3AC000 System.Data.SQLite.ni.dll (https://system.data.sqli),
version: 1.0.103.1
05C10000-05CCA000 sqlite3.dll (SQLite Development Team),
version: 3.16.2
62640000-62E25000 System.Data.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
622E0000-62631000 System.Data.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
5D270000-5D29C000 Microsoft.Search.Interop.ni.dll (),
version: 1.0.0.0
61C70000-61D21000 System.Transactions.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
61C20000-61C6B000 System.Transactions.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A6D0000-5A78F000 System.EnterpriseServices.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A670000-5A6AE000 System.EnterpriseServices.Wrapper.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A6B0000-5A6D0000 System.EnterpriseServices.Wrapper.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
631F0000-63478000 DWrite.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D260000-5D26D000 Accessibility.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73110000-73281000 WindowsCodecs.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D1D0000-5D255000 tiptsf.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
6A3A0000-6A41D000 TextInputFramework.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
6C890000-6CAED000 CoreUIComponents.dll (Microsoft Corporation),
version: 10.0.17134.112
6CAF0000-6CB7B000 CoreMessaging.dll (Microsoft Corporation),
version: 10.0.17134.191
73480000-734A9000 ntmarta.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6DBC0000-6DC96000 wintypes.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
5D1B0000-5D1C5000 Xilium.CefGlue.WindowsForms.ni.dll (),
version: 7.1.33101.0

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [7620]
2 C:\Windows\explorer.exe [6524]
3 C:\Windows\System32\userinit.exe [6472]

Thumbprint
499aae62a5294701fadb14804cc9cbab399cf442ca5bf9876fa201b8c6c155d0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-08-07T16:37:20.031466700Z" />
<EventRecordID>28810</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell-XPS-8920</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data>
<Data>ROP</Data>
<Data>Mitigation ROP

Platform 10.0.17134/x64 v750 06_9e
PID 7620
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Callee Type LoadLibrary
SHLWAPI.dll

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x58AE0A6F ebehmoni.dll ~ RET* 0x58AFC01B ebehmoni.dll ^0001
8da42408000000 LEA ESP, [ESP+0x8]
5a POP EDX
59 POP ECX
58 POP EAX
9d POPF
8da42428000000 LEA ESP, [ESP+0x28]
f0832d90443c0201 LOCK SUB DWORD [0x23c4490], 0x1
50 PUSH EAX
8b442404 MOV EAX, [ESP+0x4]
64a300000000 MOV [FS:0x0], EAX
58 POP EAX
8da4240c000000 LEA ESP, [ESP+0xc]
ff2508c1af58 JMP DWORD [0x58afc108]
(59B431D3FA9D93C5)


0x58AE0D12 ebehmoni.dll RET 0x58AE0A6E ebehmoni.dll ^0014

0x58AE2607 ebehmoni.dll RET 0x58AE0C1B ebehmoni.dll ^00BD

0x58AE8B82 ebehmoni.dll RET 0x58AE0BEE ebehmoni.dll ^00ED

0x58AE8B0B ebehmoni.dll RET 0x58AFBFAF ebehmoni.dll ^0050

0x58AE0D63 ebehmoni.dll RET 0x58AFBF75 ebehmoni.dll ^0004

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75FF00E8 KernelBase.dll LoadLibraryExW +0x148
2 75FEE756 KernelBase.dll LoadLibraryExA +0x26

3 739A5CF5 hmpalert.dll +0x65cf5
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI
754e JNZ 0x739a5d49
ff153c009c73 CALL DWORD [0x739c003c]
8b3d20119c73 MOV EDI, [0x739c1120]
8945ec MOV [EBP-0x14], EAX
85ff TEST EDI, EDI
7416 JZ 0x739a5d24
8d45cc LEA EAX, [EBP-0x34]
8bcf MOV ECX, EDI
50 PUSH EAX
6a03 PUSH 0x3
ff1564029c73 CALL DWORD [0x739c0264]
ffd7 CALL EDI
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI

4 739A6E9A hmpalert.dll +0x66e9a
5 7398394E hmpalert.dll +0x4394e
6 73986265 hmpalert.dll +0x46265
7 7397E052 hmpalert.dll +0x3e052
8 77268E50 ntdll.dll RtlUpdateTimer +0x1b0
9 771BDE07 ntdll.dll
10 771BCEE9 ntdll.dll

Loaded Modules
-----------------------------------------------------------------------------
00C70000-022F4000 MailClient.exe (eM Client s.r.o.),
version: 7.1.33101.0
77170000-77300000 ntdll.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
763B0000-76490000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CF80000-6CFD5000 MSCOREE.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75F00000-760E4000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
73940000-73A20000 hmpalert.dll (SurfRight B.V.),
version: 3.7.8.750
75C90000-75D08000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
764C0000-7657F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.17134.1 (WinBuild.160101.0800)
76650000-76694000 sechost.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
758C0000-75980000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73A30000-73A50000 SspiCli.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A20000-73A2A000 CRYPTBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75DC0000-75E18000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
58AD0000-58B4B000 ebehmoni.dll (ESET),
version: 1.0.15.0
75980000-75B0D000 USER32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73D10000-73D27000 win32u.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76490000-764B2000 GDI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
755B0000-75714000 gdi32full.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
76330000-763AD000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76F60000-7707E000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
766B0000-766D6000 IMM32.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A250000-6A2CD000 mscoreei.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73CC0000-73D05000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76D00000-76F5C000 combase.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
75170000-7517F000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73900000-73908000 VERSION.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
68E30000-6951F000 clr.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
68D30000-68E25000 MSVCR120_CLR0400.dll (Microsoft Corporation),
version: 12.00.52519.0 built by: VSWINSERVICING
679A0000-68D2F000 mscorlib.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
76230000-7632C000 ole32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
72BA0000-72C1C000 uxtheme.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738E0000-738F3000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738B0000-738DF000 rsaenh.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
72990000-729A9000 bcrypt.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
61030000-61A40000 System.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
6A850000-6A8BF000 MailClient.Mail.ni.dll (),
version: 7.1.33101.0
60F20000-61021000 HTMLEditorControl.ni.dll (),
version: 7.1.33101.0
6CEC0000-6CF08000 MailClient.Collections.ni.dll (),
version: 7.1.33101.0
5E9F0000-60F16000 MailClient.ni.exe (eM Client s.r.o.),
version: 7.1.33101.0
5E960000-5E9EE000 LinqBridge.ni.dll (),
version: 1.3.13216.2214
5E740000-5E953000 MailClient.Accounts.ni.dll (),
version: 7.1.33101.0
66D70000-66F04000 System.Drawing.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
66050000-66D6D000 System.Windows.Forms.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5E330000-5E738000 MailClient.Common.UI.ni.dll (),
version: 7.1.33101.0
5E2A0000-5E326000 MailClient.Storage.ni.dll (),
version: 7.1.33101.0
6CEB0000-6CEBA000 MailClient.Widget.ni.dll (),
version: 7.1.33101.0
5E200000-5E292000 MailClient.Avatar.ni.dll (),
version: 7.1.33101.0
6A840000-6A84D000 MailClient.Import.ni.dll (),
version: 7.1.33101.0
6A820000-6A834000 MailClient.Threading.ni.dll (),
version: 7.1.33101.0
5E1E0000-5E1F1000 MailClient.ErrorReporter.ni.dll (),
version: 7.1.33101.0
5E040000-5E1E0000 jabber-net.ni.dll (Cursive Systems, Inc.),
version: 7.1.33101.0
5DDF0000-5E032000 Xilium.CefGlue.ni.dll (),
version: 7.1.33101.0
6A810000-6A81D000 Microsoft.Experimental.IO.ni.dll (Microsoft Corporation),
version: 1.0.0.3
5DDB0000-5DDE6000 WinApi.ni.dll (),
version: 1.1.33101.0
5DDA0000-5DDA8000 MailClient.Interop.ni.dll (),
version: 7.1.33101.0
5DD50000-5DD91000 MailClient.Storage.Schedule.ni.dll (),
version: 7.1.33101.0
5DCB0000-5DD47000 MailClient.Schedule.ni.dll (),
version: 7.1.33101.0
5DC90000-5DCA5000 MailClient.Storage.Folders.ni.dll (),
version: 7.1.33101.0
5DC80000-5DC88000 MailClient.Attachment.ni.dll (),
version: 7.1.33101.0
541A0000-57E68000 libcef.DLL (),
version: 3.2623.1433.gb437111
76580000-76586000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75E20000-75EF6000 COMDLG32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A70000-73AF8000 shcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73D30000-7507A000 SHELL32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
760F0000-76129000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76740000-76CFA000 windows.storage.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
765E0000-765F8000 profapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76590000-765D5000 powrprof.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A50000-73A58000 FLTLIB.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76190000-76226000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.17134.48 (WinBuild.160101.0800)
73C50000-73CB7000 WS2_32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75720000-758B6000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
766A0000-766AE000 MSASN1.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5DC60000-5DC77000 USP10.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72B10000-72B7C000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
726D0000-728D4000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
728E0000-72990000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
73910000-73931000 USERENV.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72EE0000-7307C000 urlmon.dll (Microsoft Corporation),
version: 11.00.17134.191 (WinBuild.160101.0800)
73840000-73854000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A60000-73A67000 NSI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
736F0000-736FF000 WTSAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6AA20000-6AA76000 OLEACC.dll (Microsoft Corporation),
version: 7.2.17134.1 (WinBuild.160101.0800)
72AB0000-72AD4000 WINMM.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71B60000-71B6A000 Secur32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73880000-738B0000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72260000-723E0000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.17134.112 (WinBuild.160101.0800)
72C70000-72E95000 iertutil.dll (Microsoft Corporation),
version: 11.00.17134.165 (WinBuild.160101.0800)
729E0000-72A03000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
62FD0000-630F3000 System.Management.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
75080000-75103000 clbcatq.dll (Microsoft Corporation),
version: 2001.12.10941.16384 (WinBuild.160101.080
62240000-6225E000 wmiutils.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CFE0000-6D04B000 wbemcomn.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71A80000-71A8D000 wbemprox.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
62260000-62281000 wminet_utils.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
67920000-679A0000 clrjit.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
71A70000-71A80000 wbemsvc.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A2D0000-6A393000 fastprox.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D480000-5DC60000 System.Core.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
65770000-6586C000 System.Configuration.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
65030000-6576E000 System.Xml.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
64FA0000-6502F000 comctl32.dll (Microsoft Corporation),
version: 5.82 (WinBuild.160101.0800)
72C20000-72C43000 dwmapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73B00000-73C44000 MSCTF.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
71350000-714BB000 gdiplus.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
5D3B0000-5D479000 System.Runtime.Remoting.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73740000-73796000 mswsock.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
63100000-631E8000 diasymreader.dll (Microsoft Corporation),
version: 14.7.3056.0 built by: NET472REL1
5D2A0000-5D3AC000 System.Data.SQLite.ni.dll (https://system.data.sqli),
version: 1.0.103.1
05C10000-05CCA000 sqlite3.dll (SQLite Development Team),
version: 3.16.2
62640000-62E25000 System.Data.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
622E0000-62631000 System.Data.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
5D270000-5D29C000 Microsoft.Search.Interop.ni.dll (),
version: 1.0.0.0
61C70000-61D21000 System.Transactions.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
61C20000-61C6B000 System.Transactions.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A6D0000-5A78F000 System.EnterpriseServices.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A670000-5A6AE000 System.EnterpriseServices.Wrapper.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5A6B0000-5A6D0000 System.EnterpriseServices.Wrapper.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
631F0000-63478000 DWrite.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D260000-5D26D000 Accessibility.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73110000-73281000 WindowsCodecs.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5D1D0000-5D255000 tiptsf.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
6A3A0000-6A41D000 TextInputFramework.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
6C890000-6CAED000 CoreUIComponents.dll (Microsoft Corporation),
version: 10.0.17134.112
6CAF0000-6CB7B000 CoreMessaging.dll (Microsoft Corporation),
version: 10.0.17134.191
73480000-734A9000 ntmarta.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6DBC0000-6DC96000 wintypes.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
5D1B0000-5D1C5000 Xilium.CefGlue.WindowsForms.ni.dll (),
version: 7.1.33101.0

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [7620]
2 C:\Windows\explorer.exe [6524]
3 C:\Windows\System32\userinit.exe [6472]

Thumbprint
499aae62a5294701fadb14804cc9cbab399cf442ca5bf9876fa201b8c6c155d0</Data>
</EventData>
</Event>

Spoiler: ROP example 2

Log Name: Application
Source: HitmanPro.Alert
Date: 08/07/18 12:35:34
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell-XPS-8920
Description:
Mitigation ROP

Platform 10.0.17134/x64 v750 06_9e
PID 13268
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Callee Type LoadLibrary
SHLWAPI.dll

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x58AE0A6F ebehmoni.dll ~ RET* 0x58AFC01B ebehmoni.dll ^0001
8da42408000000 LEA ESP, [ESP+0x8]
5a POP EDX
59 POP ECX
58 POP EAX
9d POPF
8da42428000000 LEA ESP, [ESP+0x28]
f0832d9044d50101 LOCK SUB DWORD [0x1d54490], 0x1
50 PUSH EAX
8b442404 MOV EAX, [ESP+0x4]
64a300000000 MOV [FS:0x0], EAX
58 POP EAX
8da4240c000000 LEA ESP, [ESP+0xc]
ff2508c1af58 JMP DWORD [0x58afc108]
(59B431D3FA9D93C5)


0x58AE0D12 ebehmoni.dll RET 0x58AE0A6E ebehmoni.dll ^0013

0x58AE2607 ebehmoni.dll RET 0x58AE0C1B ebehmoni.dll ^00F2

0x58AE8B82 ebehmoni.dll RET 0x58AE0BEE ebehmoni.dll ^009A

0x58AE8B0B ebehmoni.dll RET 0x58AFBFAF ebehmoni.dll ^0054

0x58AE0D63 ebehmoni.dll RET 0x58AFBF75 ebehmoni.dll ^0004

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75FF00E8 KernelBase.dll LoadLibraryExW +0x148
2 75FEE756 KernelBase.dll LoadLibraryExA +0x26

3 739A5CF5 hmpalert.dll +0x65cf5
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI
754e JNZ 0x739a5d49
ff153c009c73 CALL DWORD [0x739c003c]
8b3d20119c73 MOV EDI, [0x739c1120]
8945ec MOV [EBP-0x14], EAX
85ff TEST EDI, EDI
7416 JZ 0x739a5d24
8d45cc LEA EAX, [EBP-0x34]
8bcf MOV ECX, EDI
50 PUSH EAX
6a03 PUSH 0x3
ff1564029c73 CALL DWORD [0x739c0264]
ffd7 CALL EDI
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI

4 739A6E9A hmpalert.dll +0x66e9a
5 7398394E hmpalert.dll +0x4394e
6 73986265 hmpalert.dll +0x46265
7 7397E052 hmpalert.dll +0x3e052
8 77268E50 ntdll.dll RtlUpdateTimer +0x1b0
9 771BDE07 ntdll.dll
10 771BCEE9 ntdll.dll

Loaded Modules
-----------------------------------------------------------------------------
006A0000-01D24000 MailClient.exe (eM Client s.r.o.),
version: 7.1.33101.0
77170000-77300000 ntdll.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
763B0000-76490000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CF80000-6CFD5000 MSCOREE.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75F00000-760E4000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
73940000-73A20000 hmpalert.dll (SurfRight B.V.),
version: 3.7.8.750
75C90000-75D08000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
764C0000-7657F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.17134.1 (WinBuild.160101.0800)
76650000-76694000 sechost.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
758C0000-75980000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73A30000-73A50000 SspiCli.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A20000-73A2A000 CRYPTBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75DC0000-75E18000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
58AD0000-58B4B000 ebehmoni.dll (ESET),
version: 1.0.15.0
75980000-75B0D000 USER32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73D10000-73D27000 win32u.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76490000-764B2000 GDI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
755B0000-75714000 gdi32full.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
76330000-763AD000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76F60000-7707E000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
766B0000-766D6000 IMM32.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A250000-6A2CD000 mscoreei.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73CC0000-73D05000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76D00000-76F5C000 combase.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
75170000-7517F000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73900000-73908000 VERSION.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
68E30000-6951F000 clr.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
68D30000-68E25000 MSVCR120_CLR0400.dll (Microsoft Corporation),
version: 12.00.52519.0 built by: VSWINSERVICING
679A0000-68D2F000 mscorlib.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
76230000-7632C000 ole32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
72BA0000-72C1C000 uxtheme.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738E0000-738F3000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738B0000-738DF000 rsaenh.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
72990000-729A9000 bcrypt.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
57460000-57E70000 System.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
6A850000-6A8BF000 MailClient.Mail.ni.dll (),
version: 7.1.33101.0
61930000-61A31000 HTMLEditorControl.ni.dll (),
version: 7.1.33101.0
6CEC0000-6CF08000 MailClient.Collections.ni.dll (),
version: 7.1.33101.0
5F400000-61926000 MailClient.ni.exe (eM Client s.r.o.),
version: 7.1.33101.0
5F370000-5F3FE000 LinqBridge.ni.dll (),
version: 1.3.13216.2214
5F150000-5F363000 MailClient.Accounts.ni.dll (),
version: 7.1.33101.0
66D70000-66F04000 System.Drawing.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
66050000-66D6D000 System.Windows.Forms.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5ED40000-5F148000 MailClient.Common.UI.ni.dll (),
version: 7.1.33101.0
5ECB0000-5ED36000 MailClient.Storage.ni.dll (),
version: 7.1.33101.0
6CEB0000-6CEBA000 MailClient.Widget.ni.dll (),
version: 7.1.33101.0
5EC10000-5ECA2000 MailClient.Avatar.ni.dll (),
version: 7.1.33101.0
6A840000-6A84D000 MailClient.Import.ni.dll (),
version: 7.1.33101.0
6A820000-6A834000 MailClient.Threading.ni.dll (),
version: 7.1.33101.0
5EBF0000-5EC01000 MailClient.ErrorReporter.ni.dll (),
version: 7.1.33101.0
5EA50000-5EBF0000 jabber-net.ni.dll (Cursive Systems, Inc.),
version: 7.1.33101.0
5E800000-5EA42000 Xilium.CefGlue.ni.dll (),
version: 7.1.33101.0
6A810000-6A81D000 Microsoft.Experimental.IO.ni.dll (Microsoft Corporation),
version: 1.0.0.3
5E7C0000-5E7F6000 WinApi.ni.dll (),
version: 1.1.33101.0
5E7B0000-5E7B8000 MailClient.Interop.ni.dll (),
version: 7.1.33101.0
5E760000-5E7A1000 MailClient.Storage.Schedule.ni.dll (),
version: 7.1.33101.0
5E6C0000-5E757000 MailClient.Schedule.ni.dll (),
version: 7.1.33101.0
5E6A0000-5E6B5000 MailClient.Storage.Folders.ni.dll (),
version: 7.1.33101.0
5E690000-5E698000 MailClient.Attachment.ni.dll (),
version: 7.1.33101.0
5A9C0000-5E688000 libcef.DLL (),
version: 3.2623.1433.gb437111
76580000-76586000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75E20000-75EF6000 COMDLG32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A70000-73AF8000 shcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73D30000-7507A000 SHELL32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
760F0000-76129000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76740000-76CFA000 windows.storage.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
765E0000-765F8000 profapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76590000-765D5000 powrprof.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A50000-73A58000 FLTLIB.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76190000-76226000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.17134.48 (WinBuild.160101.0800)
73C50000-73CB7000 WS2_32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75720000-758B6000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
766A0000-766AE000 MSASN1.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5A9A0000-5A9B7000 USP10.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72B10000-72B7C000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
726D0000-728D4000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
728E0000-72990000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
73910000-73931000 USERENV.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72EE0000-7307C000 urlmon.dll (Microsoft Corporation),
version: 11.00.17134.191 (WinBuild.160101.0800)
73840000-73854000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A60000-73A67000 NSI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
736F0000-736FF000 WTSAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6AA20000-6AA76000 OLEACC.dll (Microsoft Corporation),
version: 7.2.17134.1 (WinBuild.160101.0800)
72AB0000-72AD4000 WINMM.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71B60000-71B6A000 Secur32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73880000-738B0000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72260000-723E0000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.17134.112 (WinBuild.160101.0800)
72C70000-72E95000 iertutil.dll (Microsoft Corporation),
version: 11.00.17134.165 (WinBuild.160101.0800)
729E0000-72A03000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
59950000-59A91000 dbghelp.dll (Microsoft Corporation),
version: 6.12.0002.633 (debuggers(dbg).100201-120
631F0000-63478000 dwrite.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [13268]
"C:\Program Files (x86)\eM Client\MailClient.exe" --type=renderer --no-sandbox --disable-databases --lang=en-US --lang=en-US --log-file="C:\Users\puff-m-d\AppData\Roaming\eM Client\Logs\cef.log" --log-severity=error --uncaught-exception-stack-size=8 --enab
2 C:\Program Files (x86)\eM Client\MailClient.exe [12096]
3 C:\Windows\explorer.exe [6524]
4 C:\Windows\System32\userinit.exe [6472]

Thumbprint
499aae62a5294701fadb14804cc9cbab399cf442ca5bf9876fa201b8c6c155d0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-08-07T16:35:34.596100700Z" />
<EventRecordID>28809</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell-XPS-8920</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data>
<Data>ROP</Data>
<Data>Mitigation ROP

Platform 10.0.17134/x64 v750 06_9e
PID 13268
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Callee Type LoadLibrary
SHLWAPI.dll

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x58AE0A6F ebehmoni.dll ~ RET* 0x58AFC01B ebehmoni.dll ^0001
8da42408000000 LEA ESP, [ESP+0x8]
5a POP EDX
59 POP ECX
58 POP EAX
9d POPF
8da42428000000 LEA ESP, [ESP+0x28]
f0832d9044d50101 LOCK SUB DWORD [0x1d54490], 0x1
50 PUSH EAX
8b442404 MOV EAX, [ESP+0x4]
64a300000000 MOV [FS:0x0], EAX
58 POP EAX
8da4240c000000 LEA ESP, [ESP+0xc]
ff2508c1af58 JMP DWORD [0x58afc108]
(59B431D3FA9D93C5)


0x58AE0D12 ebehmoni.dll RET 0x58AE0A6E ebehmoni.dll ^0013

0x58AE2607 ebehmoni.dll RET 0x58AE0C1B ebehmoni.dll ^00F2

0x58AE8B82 ebehmoni.dll RET 0x58AE0BEE ebehmoni.dll ^009A

0x58AE8B0B ebehmoni.dll RET 0x58AFBFAF ebehmoni.dll ^0054

0x58AE0D63 ebehmoni.dll RET 0x58AFBF75 ebehmoni.dll ^0004

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75FF00E8 KernelBase.dll LoadLibraryExW +0x148
2 75FEE756 KernelBase.dll LoadLibraryExA +0x26

3 739A5CF5 hmpalert.dll +0x65cf5
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI
754e JNZ 0x739a5d49
ff153c009c73 CALL DWORD [0x739c003c]
8b3d20119c73 MOV EDI, [0x739c1120]
8945ec MOV [EBP-0x14], EAX
85ff TEST EDI, EDI
7416 JZ 0x739a5d24
8d45cc LEA EAX, [EBP-0x34]
8bcf MOV ECX, EDI
50 PUSH EAX
6a03 PUSH 0x3
ff1564029c73 CALL DWORD [0x739c0264]
ffd7 CALL EDI
8bf8 MOV EDI, EAX
85ff TEST EDI, EDI

4 739A6E9A hmpalert.dll +0x66e9a
5 7398394E hmpalert.dll +0x4394e
6 73986265 hmpalert.dll +0x46265
7 7397E052 hmpalert.dll +0x3e052
8 77268E50 ntdll.dll RtlUpdateTimer +0x1b0
9 771BDE07 ntdll.dll
10 771BCEE9 ntdll.dll

Loaded Modules
-----------------------------------------------------------------------------
006A0000-01D24000 MailClient.exe (eM Client s.r.o.),
version: 7.1.33101.0
77170000-77300000 ntdll.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
763B0000-76490000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6CF80000-6CFD5000 MSCOREE.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75F00000-760E4000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.17134.165 (WinBuild.160101.0800)
73940000-73A20000 hmpalert.dll (SurfRight B.V.),
version: 3.7.8.750
75C90000-75D08000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
764C0000-7657F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.17134.1 (WinBuild.160101.0800)
76650000-76694000 sechost.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
758C0000-75980000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73A30000-73A50000 SspiCli.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A20000-73A2A000 CRYPTBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75DC0000-75E18000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
58AD0000-58B4B000 ebehmoni.dll (ESET),
version: 1.0.15.0
75980000-75B0D000 USER32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73D10000-73D27000 win32u.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76490000-764B2000 GDI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
755B0000-75714000 gdi32full.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
76330000-763AD000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76F60000-7707E000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
766B0000-766D6000 IMM32.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6A250000-6A2CD000 mscoreei.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
73CC0000-73D05000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76D00000-76F5C000 combase.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
75170000-7517F000 kernel.appcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73900000-73908000 VERSION.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
68E30000-6951F000 clr.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
68D30000-68E25000 MSVCR120_CLR0400.dll (Microsoft Corporation),
version: 12.00.52519.0 built by: VSWINSERVICING
679A0000-68D2F000 mscorlib.ni.dll (Microsoft Corporation),
version: 4.7.3160.0 built by: NET472REL1LAST_C
76230000-7632C000 ole32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
72BA0000-72C1C000 uxtheme.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738E0000-738F3000 CRYPTSP.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
738B0000-738DF000 rsaenh.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
72990000-729A9000 bcrypt.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
57460000-57E70000 System.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
6A850000-6A8BF000 MailClient.Mail.ni.dll (),
version: 7.1.33101.0
61930000-61A31000 HTMLEditorControl.ni.dll (),
version: 7.1.33101.0
6CEC0000-6CF08000 MailClient.Collections.ni.dll (),
version: 7.1.33101.0
5F400000-61926000 MailClient.ni.exe (eM Client s.r.o.),
version: 7.1.33101.0
5F370000-5F3FE000 LinqBridge.ni.dll (),
version: 1.3.13216.2214
5F150000-5F363000 MailClient.Accounts.ni.dll (),
version: 7.1.33101.0
66D70000-66F04000 System.Drawing.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
66050000-66D6D000 System.Windows.Forms.ni.dll (Microsoft Corporation),
version: 4.7.3056.0 built by: NET472REL1
5ED40000-5F148000 MailClient.Common.UI.ni.dll (),
version: 7.1.33101.0
5ECB0000-5ED36000 MailClient.Storage.ni.dll (),
version: 7.1.33101.0
6CEB0000-6CEBA000 MailClient.Widget.ni.dll (),
version: 7.1.33101.0
5EC10000-5ECA2000 MailClient.Avatar.ni.dll (),
version: 7.1.33101.0
6A840000-6A84D000 MailClient.Import.ni.dll (),
version: 7.1.33101.0
6A820000-6A834000 MailClient.Threading.ni.dll (),
version: 7.1.33101.0
5EBF0000-5EC01000 MailClient.ErrorReporter.ni.dll (),
version: 7.1.33101.0
5EA50000-5EBF0000 jabber-net.ni.dll (Cursive Systems, Inc.),
version: 7.1.33101.0
5E800000-5EA42000 Xilium.CefGlue.ni.dll (),
version: 7.1.33101.0
6A810000-6A81D000 Microsoft.Experimental.IO.ni.dll (Microsoft Corporation),
version: 1.0.0.3
5E7C0000-5E7F6000 WinApi.ni.dll (),
version: 1.1.33101.0
5E7B0000-5E7B8000 MailClient.Interop.ni.dll (),
version: 7.1.33101.0
5E760000-5E7A1000 MailClient.Storage.Schedule.ni.dll (),
version: 7.1.33101.0
5E6C0000-5E757000 MailClient.Schedule.ni.dll (),
version: 7.1.33101.0
5E6A0000-5E6B5000 MailClient.Storage.Folders.ni.dll (),
version: 7.1.33101.0
5E690000-5E698000 MailClient.Attachment.ni.dll (),
version: 7.1.33101.0
5A9C0000-5E688000 libcef.DLL (),
version: 3.2623.1433.gb437111
76580000-76586000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75E20000-75EF6000 COMDLG32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A70000-73AF8000 shcore.dll (Microsoft Corporation),
version: 10.0.17134.112 (WinBuild.160101.0800)
73D30000-7507A000 SHELL32.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
760F0000-76129000 cfgmgr32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76740000-76CFA000 windows.storage.dll (Microsoft Corporation),
version: 10.0.17134.191 (WinBuild.160101.0800)
765E0000-765F8000 profapi.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76590000-765D5000 powrprof.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A50000-73A58000 FLTLIB.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
76190000-76226000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.17134.48 (WinBuild.160101.0800)
73C50000-73CB7000 WS2_32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
75720000-758B6000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
766A0000-766AE000 MSASN1.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
5A9A0000-5A9B7000 USP10.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72B10000-72B7C000 WINSPOOL.DRV (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
726D0000-728D4000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
728E0000-72990000 WINHTTP.dll (Microsoft Corporation),
version: 10.0.17134.137 (WinBuild.160101.0800)
73910000-73931000 USERENV.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72EE0000-7307C000 urlmon.dll (Microsoft Corporation),
version: 11.00.17134.191 (WinBuild.160101.0800)
73840000-73854000 dhcpcsvc.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73A60000-73A67000 NSI.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
736F0000-736FF000 WTSAPI32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
6AA20000-6AA76000 OLEACC.dll (Microsoft Corporation),
version: 7.2.17134.1 (WinBuild.160101.0800)
72AB0000-72AD4000 WINMM.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
71B60000-71B6A000 Secur32.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
73880000-738B0000 IPHLPAPI.DLL (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
72260000-723E0000 PROPSYS.dll (Microsoft Corporation),
version: 7.0.17134.112 (WinBuild.160101.0800)
72C70000-72E95000 iertutil.dll (Microsoft Corporation),
version: 11.00.17134.165 (WinBuild.160101.0800)
729E0000-72A03000 WINMMBASE.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)
59950000-59A91000 dbghelp.dll (Microsoft Corporation),
version: 6.12.0002.633 (debuggers(dbg).100201-120
631F0000-63478000 dwrite.dll (Microsoft Corporation),
version: 10.0.17134.1 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [13268]
"C:\Program Files (x86)\eM Client\MailClient.exe" --type=renderer --no-sandbox --disable-databases --lang=en-US --lang=en-US --log-file="C:\Users\puff-m-d\AppData\Roaming\eM Client\Logs\cef.log" --log-severity=error --uncaught-exception-stack-size=8 --enab
2 C:\Program Files (x86)\eM Client\MailClient.exe [12096]
3 C:\Windows\explorer.exe [6524]
4 C:\Windows\System32\userinit.exe [6472]

Thumbprint
499aae62a5294701fadb14804cc9cbab399cf442ca5bf9876fa201b8c6c155d0</Data>
</EventData>
</Event>

This appears to be caused by ebehmoni.dll which is an ESET file (file description: ESET Deep Behavioral Inspection Monitor) that was updated today. I can disable the "Control-Flow Integrity - Stops ROP attacks" mitigation for the affected applications to temporarily resolve the issue. ESET issues module updates on a staggered basis and I am signed up to receive the modules as soon as they are available. If the issue is with ESET, it probably will not be widespread yet for several days so I thought I would give you advanced warning so you could see if it can be fixed.

 

I don't recall the dev ever addressing a "white list" feature for HMPA, but he has usually been responsive about dealing with false positives. Sometimes there have been necessary workarounds, like disabling certain modules in case of conflicts, like with the SAM module in credential protection.

You could report your issue to support as a false positive, and see how that goes. I'm only speculating here, but a white list could allow a threat to hide in a white listed process, and that would be less secure as well.

 

"Folder Exclusions":

 

Different things. White lists could be used for specific executables, and could be in scope for all exploit protection modules, not just scans. Folder exclusions are for excluding files when scanning static files, like with an AV, or on-demand scanner.

Plus those comments from @ericloman were made over a year ago, without any follow-up. Guess we are still staying tuned, huh?

 

Hello,

FYI: So far, this happens consistently with eM Client and LibreOffice, and occasionally with browsera (IE, EDGE, Firefox, and Chrome) and Process Hacker.

 

HMPA 3.7.8b750 on W10 Build 17713.rs5_release.180706-1551 (fast ring) has been throwing some errors
Not being release this is just a heads up, ESET was not working on this build either because MS did not to whitelist them

This has happened more than once because it has kept going I thought it might be worth a mention in case it is seen during testing or helps with getting it ready for rs5 when that comes out.


HitmanPro.Alert

Summary
Stopped working

Date
‎Sun ‎12-‎Aug-‎18 21:51

Status
Not reported

Description
Faulting Application Path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: hmpalert.exe
Application Version: 3.7.8.750
Application Timestamp: 5b3f3322
Fault Module Name: ADVAPI32.dll
Fault Module Version: 10.0.17713.1000
Fault Module Timestamp: 10cd072c
Exception Code: c0000005
Exception Offset: 00023814
OS Version: 10.0.17713.2.0.0.768.101
Locale ID: 2057
Additional Information 1: 2beb
Additional Information 2: 2beba6fb4680d73a8c78ca7c24ccdb46
Additional Information 3: 2939
Additional Information 4: 29396946fa8b15dbd955cecc441efe08

Files that help describe the problem
minidump.mdmp
WERInternalMetadata.xml
WERInternalRequest.xml
WPR_initiated_DiagTrackMiniLogger_OneTrace User Logger 20180807 Event Collector_0_inject.etl
WPR_initiated_DiagTrackMiniLogger_OneTrace User Logger 20180807 Event Collector_0.etl
WPR_initiated_DiagTrackMiniLogger_WPR System Collector_inject.etl
WPR_initiated_DiagTrackMiniLogger_WPR System Collector.etl
memory.csv
sysinfo.txt
AppCompat.txt
memory.hdmp

 

Hey,

There's still an issue with HMP.alert and Trend Micro AV on the same system; HMP repeatedly flags Trend's code injection into Firefox content processes as an exploit. It triggers when FF plays video content of any kind (this log example is playback of a gifv from imgur).

Additionally, the continued lack of a way to exclude a detection, file, process, whatever continues to ensure lots of us can't even use the product. In my case, it's due to Kaspersky's enhanced detection set that flags things like IRC clients and common utilities that can be used for "bad" stuff as "not-a-virus$somedetection" (which has been reported several times in this thread). Super inconvenient.

At any rate, here's the log from Event Viewer:

Code:

Mitigation   ROP

Platform     10.0.17134/x64 v750 06_8e
PID          15068
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 61.0.2

Callee Type  ProtectVirtualMemory
             0x00000049FCF26000 (4096 bytes)

Branch Trace                              Opcode  To                                 
---------------------------------------- -------- ----------------------------------------
0x0000000071E8CB68 tmmon64.dll               RET  0x0000000071DE424D tmmon64.dll ^0003

RtlRestoreLastWin32Error +0x44               RET  0x0000000071E8CB5F tmmon64.dll ^0006
0x00007FFBF12570A4 ntdll.dll                                                         

RtlRetrieveNtUserPfn +0x114                  RET  RtlRestoreLastWin32Error +0x40 ^0009
0x00007FFBF129A614 ntdll.dll                      0x00007FFBF12570A0 ntdll.dll       

0x0000000071E8CF66 tmmon64.dll               RET  0x0000000071E8CB20 tmmon64.dll ^004D

0x0000000071DE3C60 tmmon64.dll               RET  0x0000000071E8CEA7 tmmon64.dll ^0012

0x00007FFBEC40D699 TmUmEvt64.dll             RET  0x0000000071DE3C26 tmmon64.dll ^0006

0x00007FFBEC42C866 TmUmEvt64.dll           ~ RET* ?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z() ^00A4
                                                  0x00007FFBE846B940 mozglue.dll     
                    0f57c9                   XORPS        XMM1, XMM1
                    0f57c0                   XORPS        XMM0, XMM0
                    f2480f2a0d01170200       CVTSI2SD     XMM1, [RIP+0x21701]
                    f2480f2ac1               CVTSI2SD     XMM0, RCX
                    f20f590d9c8f0100         MULSD        XMM1, [RIP+0x18f9c]
                    f20f5ec1                 DIVSD        XMM0, XMM1
                    c3                       RET     


??GTimeStampValue@mozilla@@QEBA_KAEBV01@@Z +0x5c     RET  0x00007FFBA1CAB91F xul.dll ^000A   
0x00007FFBE846AB3C mozglue.dll                                                       

??GTimeStampValue@mozilla@@QEBA_KAEBV01@@Z +0x5c     RET  0x00007FFBA1CAB90D xul.dll ^002F   
0x00007FFBE846AB3C mozglue.dll                                                       

0x00007FFBA1CAC12A xul.dll                   RET  0x00007FFBA1CAB8CC xul.dll ^0006   

??GTimeStampValue@mozilla@@QEBA_KAEBV01@@Z +0x5c     RET  0x00007FFBA1CAB8B3 xul.dll ^00ED   
0x00007FFBE846AB3C mozglue.dll                                                       

0x00007FFBA1CAC12A xul.dll                   RET  0x00007FFBA1CAB88B xul.dll ^03AF   

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z +0xc2     RET  0x00007FFBA1CAB883 xul.dll ^002A   
0x00007FFBE846D622 mozglue.dll                                                       

GetTickCount64 +0x1d                         RET  ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z +0x81 ^0075
0x00007FFBEFE361CD kernel32.dll                   0x00007FFBE846D5E1 mozglue.dll     

RtlQueryPerformanceCounter +0x60             RET  ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z +0x37 ^0136
0x00007FFBF1256C50 ntdll.dll                      0x00007FFBE846D597 mozglue.dll     

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFBED63C245 KernelBase.dll           VirtualProtect +0x35

2  0000000071DE42C0 tmmon64.dll         
                    488bc8                   MOV          RCX, RAX
                    48ba3051a4f155010000     MOV          RDX, 0x155f1a45130
                    4c8b45f8                 MOV          R8, [RBP-0x8]
                    4c8d4d08                 LEA          R9, [RBP+0x8]
                    48b810c7e87100000000     MOV          RAX, 0x71e8c710
                    ffd0                     CALL         RAX
                    4c8b65e0                 MOV          R12, [RBP-0x20]
                    4c8b7dd0                 MOV          R15, [RBP-0x30]
                    4c8b75c8                 MOV          R14, [RBP-0x38]
                    4c8b6dc0                 MOV          R13, [RBP-0x40]
                    488b75b8                 MOV          RSI, [RBP-0x48]
                    488b7db0                 MOV          RDI, [RBP-0x50]
                    488b5de8                 MOV          RBX, [RBP-0x18]
                    488beb                   MOV          RBP, RBX

3  00007FFBA20DCE1D xul.dll             
4  00007FFBA1EF785A xul.dll             
5  00007FFBA1DD66F1 xul.dll             
6  00007FFBA1CDAA07 xul.dll             
7  00007FFBA1CDAFD5 xul.dll             
8  00007FFBA259753D xul.dll             
9  00007FFBA1CD490E xul.dll             
10 00007FFBA1DD9C47 xul.dll             

Loaded Modules
-----------------------------------------------------------------------------
00007FF7F4700000-00007FF7F4774000 firefox.exe (Mozilla Corporation),
                                  version: 61.0.2
00007FFBF1210000-00007FFBF13F1000 ntdll.dll (Microsoft Corporation),
                                  version: 10.0.17134.165 (WinBuild.160101.0800)
00007FFBEFE20000-00007FFBEFED2000 KERNEL32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBDDFC0000-00007FFBDE100000 hmpalert.dll (SurfRight B.V.),
                                  version: 3.7.8.750
00007FFBED5E0000-00007FFBED853000 KERNELBASE.dll (Microsoft Corporation),
                                  version: 10.0.17134.165 (WinBuild.160101.0800)
00007FFBEE700000-00007FFBEE7A1000 ADVAPI32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF0C40000-00007FFBF0CDE000 msvcrt.dll (Microsoft Corporation),
                                  version: 7.0.17134.1 (WinBuild.160101.0800)
00007FFBEE6A0000-00007FFBEE6FB000 sechost.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF0360000-00007FFBF0484000 RPCRT4.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBEDC60000-00007FFBEDD5A000 ucrtbase.dll (Microsoft Corporation),
                                  version: 10.0.17134.165 (WinBuild.160101.0800)
00007FFBE8460000-00007FFBE8495000 mozglue.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBB6930000-00007FFBB69D7000 MSVCP140.dll (Microsoft Corporation),
                                  version: 14.13.26020.0 built by: VCTOOLSREL
00007FFBE81E0000-00007FFBE81F6000 VCRUNTIME140.dll (Microsoft Corporation),
                                  version: 14.13.26020.0 built by: VCTOOLSREL
00007FFBEB630000-00007FFBEB7F9000 dbghelp.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBDBA60000-00007FFBDBA6A000 VERSION.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBECF70000-00007FFBECF7B000 CRYPTBASE.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEDEB0000-00007FFBEDF2A000 bcryptPrimitives.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEC3F0000-00007FFBEC4BF000 TmUmEvt64.dll (Trend Micro Inc.),
                                  version: 7.30.0.1099
00007FFBF0350000-00007FFBF0358000 PSAPI.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF05F0000-00007FFBF0641000 SHLWAPI.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEFFA0000-00007FFBF02C3000 combase.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBF0D40000-00007FFBF0D68000 GDI32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED860000-00007FFBED9F2000 gdi32full.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBEDE10000-00007FFBEDEAF000 msvcp_win.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBF0D70000-00007FFBF0F00000 USER32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEDA50000-00007FFBEDA70000 win32u.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF11B0000-00007FFBF11DD000 IMM32.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
0000000071DC0000-0000000071F0C000 tmmon64.dll (Trend Micro Inc.),
                                  version: 2.6.0.2027
00000155F3780000-00000155F3784000 api-ms-win-crt-runtime-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F3790000-00000155F3794000 api-ms-win-crt-string-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37A0000-00000155F37A3000 api-ms-win-crt-heap-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37B0000-00000155F37B4000 api-ms-win-crt-stdio-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37C0000-00000155F37C4000 api-ms-win-crt-convert-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37D0000-00000155F37D3000 api-ms-win-crt-locale-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37E0000-00000155F37E5000 api-ms-win-crt-math-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F37F0000-00000155F37F5000 api-ms-win-crt-multibyte-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F3800000-00000155F3803000 api-ms-win-crt-time-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F3810000-00000155F3813000 api-ms-win-crt-filesystem-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F3820000-00000155F3823000 api-ms-win-crt-environment-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00000155F3830000-00000155F3833000 api-ms-win-crt-utility-l1-1-0.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00007FFBB66D0000-00007FFBB6852000 nss3.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBF0F00000-00007FFBF0F6C000 WS2_32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE9380000-00007FFBE93A3000 WINMM.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBDAF40000-00007FFBDAF49000 WSOCK32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE9350000-00007FFBE937A000 WINMMBASE.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEDA00000-00007FFBEDA49000 cfgmgr32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBB5270000-00007FFBB5321000 lgpllibs.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBA1820000-00007FFBA605A000 xul.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBEE880000-00007FFBEFCC0000 SHELL32.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBEFEE0000-00007FFBEFF89000 shcore.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBEDF90000-00007FFBEE69D000 windows.storage.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBED540000-00007FFBED551000 kernel.appcore.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBED5B0000-00007FFBED5CF000 profapi.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED560000-00007FFBED5AC000 powrprof.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00000155F3E60000-00000155F3E6A000 FLTLIB.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF0490000-00007FFBF05E1000 ole32.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBEDA70000-00007FFBEDC52000 CRYPT32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED520000-00007FFBED532000 MSASN1.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF0650000-00007FFBF0A9B000 SETUPAPI.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEDF30000-00007FFBEDF87000 WINTRUST.dll (Microsoft Corporation),
                                  version: 10.0.17134.81 (WinBuild.160101.0800)
00000155F4100000-00000155F41C2000 OLEAUT32.dll (Microsoft Corporation),
                                  version: 10.0.17134.48 (WinBuild.160101.0800)
00007FFBEC160000-00007FFBEC16C000 HID.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE87F0000-00007FFBE87FA000 AVRT.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE81C0000-00007FFBE81D9000 USP10.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBC8CD0000-00007FFBC8CD7000 MSIMG32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBECB20000-00007FFBECB58000 IPHLPAPI.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEBBC0000-00007FFBEBBE9000 dwmapi.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEA9B0000-00007FFBEAA48000 UxTheme.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEB400000-00007FFBEB413000 WTSAPI32.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEC610000-00007FFBEC641000 ntmarta.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBB1620000-00007FFBB1636000 napinsp.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBB1600000-00007FFBB161A000 pnrpnsp.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE9090000-00007FFBE90A9000 NLAapi.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBECDA0000-00007FFBECE06000 mswsock.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBECB60000-00007FFBECC1E000 DNSAPI.dll (Microsoft Corporation),
                                  version: 10.0.17134.165 (WinBuild.160101.0800)
00007FFBEFF90000-00007FFBEFF98000 NSI.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBCA890000-00007FFBCA89E000 winrnr.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBC6260000-00007FFBC6275000 wshbth.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED450000-00007FFBED478000 USERENV.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED420000-00007FFBED450000 SspiCli.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED330000-00007FFBED357000 DEVOBJ.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE98A0000-00007FFBE9BAB000 d3d11.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBEC210000-00007FFBEC2CB000 dxgi.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBE5790000-00007FFBE6D0C000 igd10iumd64.dll (Intel Corporation),
                                  version: 21.20.16.4550
00007FFBED080000-00007FFBED0A5000 bcrypt.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBED050000-00007FFBED076000 ncrypt.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBED010000-00007FFBED046000 NTASN1.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE3A60000-00007FFBE4BBD000 igc64.dll (Intel Corporation),
                                  version: 21.20.16.4550
00007FFBE9BB0000-00007FFBEA177000 d2d1.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBE7D00000-00007FFBE7D39000 XmlLite.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE01D0000-00007FFBE04EC000 dwrite.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBC6280000-00007FFBC6328000 mscms.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBC0580000-00007FFBC0590000 ColorAdapterClient.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBF10F0000-00007FFBF1190000 clbcatq.dll (Microsoft Corporation),
                                  version: 2001.12.10941.16384 (WinBuild.160101.080
00007FFBE36A0000-00007FFBE3716000 MMDevApi.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBEB800000-00007FFBEB9B4000 PROPSYS.dll (Microsoft Corporation),
                                  version: 7.0.17134.112 (WinBuild.160101.0800)
00007FFBD8030000-00007FFBD815C000 AUDIOSES.DLL (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBE8C20000-00007FFBE8D6D000 wintypes.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)
00007FFBE2320000-00007FFBE2434000 Windows.UI.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE2280000-00007FFBE2318000 TextInputFramework.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE2200000-00007FFBE2279000 InputHost.dll (),
                                  version:
00007FFBE7030000-00007FFBE734E000 CoreUIComponents.dll (Microsoft Corporation),
                                  version: 10.0.17134.112
00007FFBEA660000-00007FFBEA73A000 CoreMessaging.dll (Microsoft Corporation),
                                  version: 10.0.17134.165
00007FFBDDC40000-00007FFBDDC71000 softokn3.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBDD4D0000-00007FFBDD545000 freebl3.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBE3830000-00007FFBE3858000 Cabinet.dll (Microsoft Corporation),
                                  version: 5.00 (WinBuild.160101.0800)
00007FFBB3570000-00007FFBB39AE000 d3dcompiler_47.dll (Microsoft Corporation),
                                  version: 10.0.15063.674 (WinBuild.160101.0800)
00007FFBDCF70000-00007FFBDCFB1000 mozavutil.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBB33E0000-00007FFBB3569000 mozavcodec.dll (Mozilla Foundation),
                                  version: 61.0.2
00007FFBE8910000-00007FFBE8AEB000 mfplat.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBE88E0000-00007FFBE890E000 RTWorkQ.DLL (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBE2E60000-00007FFBE2EDB000 mf.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBDE4A0000-00007FFBDE4C2000 dxva2.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBB5020000-00007FFBB50DA000 evr.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBB3050000-00007FFBB32A7000 msmpeg2vdec.dll (Microsoft Corporation),
                                  version: 10.0.17134.137 (WinBuild.160101.0800)
00007FFBB32B0000-00007FFBB33DB000 mfperfhelper.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBECF50000-00007FFBECF67000 cryptsp.dll (Microsoft Corporation),
                                  version: 10.0.17134.1 (WinBuild.160101.0800)
00007FFBDCF00000-00007FFBDCF6E000 MSAudDecMFT.dll (Microsoft Corporation),
                                  version: 10.0.17134.112 (WinBuild.160101.0800)

Code Injection
00000155F183C000-00000155F183D000    4KB C:\Program Files\Mozilla Firefox\firefox.exe [15680]
00007FFBF12AA000-00007FFBF12AB000    4KB
00007FFBF12AC000-00007FFBF12AD000    4KB
1  C:\Program Files\Mozilla Firefox\firefox.exe [15680]
2  C:\Windows\explorer.exe [8472]

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [15068]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="15680.12.1069072903\437647320" -childID 2 -isForBrowser -prefsHandle 2824 -prefsLen 14785 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program
2  C:\Program Files\Mozilla Firefox\firefox.exe [15680]
3  C:\Windows\explorer.exe [8472]

Thumbprint
23794a78370aa92e3d8306040ccd8572c4797bf00ae48e6521db21eff8d1b664

 

I'm running HMP.A 3.7.8 build 750 on Win10 Pro x64 1803. I just noticed the main window says "Anti-Malware: Offline". When clicked, anti-malware is "Enabled" but it says "Cloud Protection Offline". Why would this be?

I wondered if my VPN endpoint was being blocked, but I've tried several, and nothing has changed. I've disabled and re-enabled the anti-malware function, to no avail. It's not a firewall issue. The HMP.A event log is empty.

 

Thanks. I see the same on my Windows 7 system. First time I see this with HMPA. I guess something is offline at Sophos.

 

I noticed that today as well. Don't check every day, so not sure when this started.

 

Same here.

 

Hit em up at support@hitmanpro.com

 

same here on all machines.

i don't use VPN, so i don't believe it is related.

 

Here also, still.