HitmanPro.Alert BETA

Did it get your password or did it simply start a child process under lsass?
We allow certain reads to allow e.g. Task manager e.a. to work, just not the regions where the credentials are stored, this tool does not provide an indication that it 'dumped' your credentials does it?

 

The simulated attacks by stackhackr are bogus. From their site:

Ransomware
This will simulate the common behavior of deleting shadow volume copies (no files will actually be deleted or encrypted).

Credential theft
This will simulate the common behavior of harvesting passwords from LSASS process memory (it wont actually steal any credentials).​

That's why HitmanPro.Alert doesn't step in. It acts when something really attempts to steal credentials or encrypt files. HitmanPro.Alert doesn't act on smoke.
Don't use stackhackr to test your endpoint protection. It's useless. Use e.g. the Sophos Tester instead, which actually performs exploit techniques, encrypts files and attempts to read memory from LSASS.

 

Will the RC be released soon?

And any details about this yet?

 

It is not a RC anymore. The final version (Build 759) was released two weeks ago: #15145

 

HitmanPro.Alert 3.7.9 Build 761 BETA

Changelog (compared to build 759)

Added

• Improved Shellcode mitigation (system-wide) to detect backdoor stage/payload on the heap
• Improved Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasions technique

Improved

• CryptoGuard to block specific variants of the Dharma ransomware, that include needless action to thwart behavior monitoring
• Dynamic Heap Spray Mitigation to allow certain memory block patterns

Fixed

• Compatibility issue with ESET Smart Security in combination with Google Chrome
• Rare BSOD in WipeGuard when it was running out of stack
• Process Protection user interface menu now correctly disables the features when no valid license is present
• Automatic update when running HitmanPro.Alert in Anti-Ransomware (CryptoGuard) only

Download
http://test.hitmanpro.com/hmpalert3b761.exe

Please let us know how this version runs on your endpoints!

 

Installed and running here (config as below).

After install reboot did notice this extra alert in Event Viewer, but that app seems unaffected.

Code:

Mitigation   Shellcode

Platform     10.0.17134/x64 v761 06_45
PID          9116
Feature      00070330000001A2
Application  C:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Open_Hardware_Monitor_sps\OpenHardwareMonitor.exe
Description  Open Hardware Monitor 0.8

Shellcode (HHA) (0x00001000 bytes)

00007FFD0CA0A698  ffd0                     CALL         RAX
00007FFD0CA0A69A  41c6470c01               MOV          BYTE [R15+0xc], 0x1
00007FFD0CA0A69F  833d4a9af05f00           CMP          DWORD [RIP+0x5ff09a4a], 0x0
00007FFD0CA0A6A6  7406                     JZ           0x7ffd0ca0a6ae
00007FFD0CA0A6A8  ff157aa5f05f             CALL         QWORD [RIP+0x5ff0a57a]
00007FFD0CA0A6AE  41c6470c01               MOV          BYTE [R15+0xc], 0x1
00007FFD0CA0A6B3  488b5590                 MOV          RDX, [RBP-0x70]
00007FFD0CA0A6B7  49895710                 MOV          [R15+0x10], RDX
00007FFD0CA0A6BB  488d65c8                 LEA          RSP, [RBP-0x38]
00007FFD0CA0A6BF  5b                       POP          RBX
00007FFD0CA0A6C0  5e                       POP          RSI
00007FFD0CA0A6C1  5f                       POP          RDI
00007FFD0CA0A6C2  415c                     POP          R12
00007FFD0CA0A6C4  415d                     POP          R13
00007FFD0CA0A6C6  415e                     POP          R14
00007FFD0CA0A6C8  415f                     POP          R15

----- SNIP HERE -----
AAIWAQCgoAz9fwAAmKagDP1/AAAAoKAM/X8AAAAQAAAWAAAWWAD4QLEM/X8WAgBBV0FWQVRXVlVTSIPsMOiN6mJdi0ggSIs0JdDW0BOD+QR0CIH5gBYDAHUKSIs8JfDW0BPrCEiLPCXo1tATi0YIA0cISGPASIkFC2gHAIP5BHQMgfmAFgMAD4VIAxYCAEiLDCVo9fsT6GUWAlldSIvYSIsUJXD1+xNIi8tIiwNIi0BI/1AoSIvISIsUJXj1+xM5Ceg7R1ldSIvoSIsUJYD1+xNIi8tIiwNIi0BI/1AoTIvwSIsUJYj1+xNJi85BuBwWAwBJiwZIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIv4SLr4lB5q/X8WAgBJORd0EkmL10i5+JQeav1/FgIA6KKQYl9Fi38ISIsUJZD1+xNJi85BuBwWAwBJiwZIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIvgSLr4lB5q/X8WAgBJORQkdBJJi9RIufiUHmr9fxYCAOhPkGJfRQt8JAhIixQlmPX7E0mLzkG4HBYDAEmLBkiLQHj/UAhIi8gz0kiLAEiLQFj/UBhMi+BIuviUHmr9fxYCAEk5FCR0EkmL1Ei5+JQeav1/FgIA6PuPYl9Bi9dBC1QkCEmLzuj7X1RdTIvwSIsUJaD1+xNIi8tIiwNIi0BI/1AoSIvYSIsUJaj1+xNIi8tBuBwWAwBIiwNIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIv4SLr4lB5q/X8WAgBJORd0EkmL10i5+JQeav1/FgIA6IKPYl9Fi38ISIsUJbD1+xNIi8tBuBwWAwBIiwNIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIvgSLr4lB5q/X8WAgBJORQkdBJJi9RIufiUHmr9fxYCAOgvj2JfQYvXQQtUJAhIi8voL19UXUiL2Ei5AnSsaf1/FgIAugYWAwDomIJcX0yL+Ei52D4dav1/FgIA6DaBXF9Mi8AzyUmJSAhJi88z0uhjnVxfSLnwPh5q/X8WAgDoFIFcX0yLwEiLDYJlBwBJiUgISYvPugEWAwDoOZ1cX0mLz02LxroCFgMA6CmdXF9Ji89Mi8O6AxYDAOgZnVxfSLn4lB5q/X8WAgDoyoBcX0yLwEHHQAgWBP9Ji8+6BBYDAOjynFxfSLn4lB5q/X8WAgDoo4BcX0yLwDPJQYlICEmLz7oFFgMA6M2cXF9MiXwkIDPJSIlMJChIi80z0kUzwEUzyUiLRQBIi0BY/1AgSIvYSLrYPh1q/X8WAgBIORN0EkiL00i52D4dav1/FgIA6AeOYl9Ii1MISIkVrGQHAOshSIsVq2QHADPJQbgAMBYCAEG5QBYDAOhA+BYC/0iJBYlkBwBMiwWCZAcARItOCEiLzjPS6JR1Z19Iix1tZAcASLmIXrAM/X8WAgDozhwWAl9Ii9BIi8vos1VUXUiFwHQRSLqIXrAM/X8WAgBIORB0AjPAucDW0BNIi9DoQJpcX0iLDSlkBwBEi04ITWPJSY00CUSLTwhIi89Mi8Yz0ugtdWdfSLkgYLAM/X8WAgDobhwWAl9Ii9BIi87oU1VUXUiFwHQRSLogYLAM/X8WAgBIORB0AjPAudjW0BNIi9Do4JlcX5BIg8QwW11eX0FcQV5BX8MZDggADlIKMAlQCGAHcAbABOAC8EAWAwAIQrEM/X8WAgBVQVdBVkFVQVRXVlNIg+xoSI2sJKAWAwBMiVXASIvxSIv6QYvYRYvxSI1NiEmL0uh8qFxfTIv4SIvMSIlNqEiLzUiJTbhIjU2ISYlPEEiLTcDoCi94X0xjw01jzkiLTcBIi0kgSIsBSIvOSIvXRTPbTItVwEyJVZhMjRULFgMATIlVsEHGRwwA/9BBxkcMAYM9SprwXwB0Bv8VeqXwX0HGRwwBSItVkEmJVxBIjWXIW15fQVxBXUFeQV9dwxkQCQAQwgwwC2AKcAnAB9AF4APwAVAWAgBAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFhsA
----- END SNIP -----

Thumbprint
727cac43b9f64e4d584d9e2f6e67f063b2ccb502b400375d42368195615d761e

 

Thanks, missed that somehow.

Everything is running fine so far. Do you have more info on the vulnerability fixed in 759?

 

Smooth update from build 759 - no issues to report

 

Same here with W10 build 1809 and build 759 RC.

 

Adobe Photoshop CC has crashed a few times. Never happened before this Beta (3.7.9 Build 761). HMPA shows 567 alerts although I never saw any. Using Windows 7 Pro SP1 x64.

EDIT- Removed 761 and went back to stable 759 and still had crashes with Photoshop. Removed 759 and no crashes. I wasn't having crashes with 759 before. The only other thing that changed is a new version of Emsisoft Anti-Malware (2018.9.0.8961). Although I have HMPA excluded in Emsisoft settings perhaps some problem between the two. Photoshop has not updated recently. I will run without HMPA to see if any more Photoshop crashes.

 

Can you post one alert as example?

 

They all appear to be pretty much the same.

 

That eventlog looks like you have uninstalled Alert, could you install it again and copy past the text from the eventlog please?
You can also use build 759, that will also format the event messages again in plain-text.

 

Yes I uninstalled. It seems problems started with 761 Beta. Should I reinstall that version?

 

Nope, you can just install 759 stable, and then copy/past an alert from the time the 761 build alerted that Adobe thingy.

 

HitmanPro.Alert 3.7.9 Build 761 BETA together with the latest Windows 10 October 2018 Update version 1809.
No problems encountered.

 

Someone pointed it out to me that the problem may be with Emisioft. I download latest EAM beta and will run that for awhile then I will download HMPA 759.

 

Sent you private message with log.

 

No problems with build 761 and EAM here, that I know of ...

 

Thanks, trying to narrow down problem with Adobe Photoshop CC crashing with RonnyT. Otherwise I had no problems with either.

 

Hello @RonnyT,

I just got around to trying out the beta today. 3.7.9.761 does indeed seem to fix all of the issues that I had discussed via email with you concerning the conflicts between HMP.A and ESET with several apps on my system. I will let you know if anything else surfaces about this issue but it seems all is now fixed.

However, I do have a new issue that surfaced with my email client ( eM Client - https://www.emclient.com/ ). There is an alert every time eM Client is started (Mitigation - Shellcode). It only occurs when I start the app and does not seem to affect its running (ie: I can use the app with seemingly no issues but always get an alert on its startup). The alerts are all basically the same with just some of the details that vary. Since they are not all identical, I have attached a sampling of three of the alerts that I have received:

Spoiler: Shellcode Alert 1

Log Name: Application
Source: HitmanPro.Alert
Date: 10/06/18 15:20:05
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell-XPS-8920
Description:
Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 10256
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

03C0D2A0 ffd2 CALL EDX
03C0D2A2 8b4de0 MOV ECX, [EBP-0x20]
03C0D2A5 8d6104 LEA ESP, [ECX+0x4]
03C0D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
03C0D2AC 833d4020de6900 CMP DWORD [0x69de2040], 0x0
03C0D2B3 7407 JZ 0x3c0d2bc
03C0D2B5 50 PUSH EAX
03C0D2B6 e8c526c865 CALL 0x6988f980
03C0D2BB 58 POP EAX
03C0D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
03C0D2C3 8b75d8 MOV ESI, [EBP-0x28]
03C0D2C6 89770c MOV [EDI+0xc], ESI
03C0D2C9 8d65f4 LEA ESP, [EBP-0xc]
03C0D2CC 5b POP EBX
03C0D2CD 5e POP ESI
03C0D2CE 5f POP EDI

----- SNIP HERE -----
AAMuAQDQwAOg0sADANDAAwAwAABXiw14+IEE6PTXqmSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+IEEi8jB+R+FyXUGiQKLwl/D6Jtl6mXMLgIA0L/DBKS/wwTAv8MEtACzBFWL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6dmnHRbiX8d7li0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGBBAB1BzPJ6K3zLgL/i885Cf8VqPmzBIlF3IX2dQQz0usOi1Yoi87/FQz7swSLVij/dQhS/3Xcx0XECAU9BItF1IllyMdFzPvQwAPGQAgA/xXYCD0Ei2XIg8QMi03UxkEIAYM9QCDeaQB0B1DoaSjIZVjHRcwuBACJRdjHReQuBADHRej8LgMAaEjRwAPrAItN3P8V5PmzBFj/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwcMELgQAiMHDBKD5swRVi+z/FbT5swRdwy4FAPTBwwQuBADswcMErPmzBFWL7Fb/FZQcPQSL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzCwwQuBAAEwsMEhBw9BFWL7FAzwIlF/LmkHD0E6O3ztmWJRfyNRfz/MOgAMbdli8jo+ceqZKM0/4EEi+VdwyTCwwQuBAAcwsMEjBw9BIsNNP+BBOjl1apkM9KJEMMuCAAwwsME/B49BFWL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+nZpx0XQl/He5YtHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNv2UzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotLAA8ZHCAD/0otN4I1hBMZHCAGDPUAg3mkAdAdQ6MUmyGVYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgLgLDBC4EABQuAsMEpPuzBFWL7FAzwIlF/LlMHz0E6M1d8v+JRfyLTfzomuNMZYtF/I0VHJVQEOhsFLZli+Vdw5guAsMETC4CwwSALgLDLgIE+7MEVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDrZli0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DrZliw0clVAQi1YoOAFWagHohtSoZMdF6C4EAMdF7PwuAwBor9PAA+sAi03c6JIStmVY/+DHReguBADHRez8LgMAaObTwAPrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dPAA+sAi03g6FYStmVY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxMMEHMTDBFDEwwQQ+7MEVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DbZli0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANtmWLDRyVUBCLVig5CeiP5bBkx0XoLgQAx0Xs/C4DAGiN1MAD6wCLTdjouxG2ZVj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUwAPrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UwAPrAItN3OhxEbZlWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxMMELgQA4MTDBNz5swRVi+wuAujlpGRdwy4GAMzFwwQuBACgxcMEmD3CA1WL7Fa5ThYsaLoJLgMA6I1c8v+L8P8VlD3CA4vIOAFqILpfLgMA6KXhz2VQi84z0ugr8LZl/zWMJFAQi866AS4DAOgZ8LZliw2QJFAQixWUJFAQ/xWsPcIDi8g4AWogul8uAwDoZ+HPZVCLzroCLgMA6OrvtmX/NZgkUBCLzroDLgMA6NjvtmWLDZAkUBCLFZwkUBD/Faw9wgOLyDgBaiC6Xy4DAOgm4c9lUIvOugQuAwDoqe+2Zf81jCRQEIvOugUuAwDol++2ZYsNoCRQEIsVpCRQEP8VrD3CA4vIOAFqILpfLgMA6OXgz2VQi866Bi4DAOho77Zl/zWMJFAQi866By4DAOhW77Zliw2gJFAQixWoJFAQ/xWsPcIDi8g4AWogul8uAwDopODPZVCLzroILgMA6CfvtmWLzuiw66RkXl3DLgUAJMfDBLzGwwQIx8MEjD3CA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlynWSJReCDfeAAdCGLFbAkUBCLTeDoYnKdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHnXwAPrAIN94AB0CYtN4P8V1AC1A1j/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlPQSJRdyDfdwAdCGLFbAkUBCLTdzo1nGdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHDXwAPrAIN93AB0CYtN3P8V0AC1A1j/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xS2ZYtF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx8MELgQAtMfDBBwlPQRVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN6pkhcB0GQ+2RQxQi86L1zkJ6EQJnWSNZfheX13CCACF9nQMi87/FTAlPQSFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlPQSLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCU9BI1l+F5fXcIILgIAnMjDBC4EAIjIwwQoJT0EVYvsV1aL8blMr3to6E/ttmWL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5nZodQLrDIvQuSTmdmjosay2ZYtABF5fXcNqJIsVvCRQEIvP6BsLqmSLyGoAi9aLAYtAOP8Qi/CBPhRAd2h0DIvWuRRAd2joSJDBZYtGBF5fXcMuCQDQyMME2CY9BFWL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+nZpx0XMl/He5YtHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGv2UzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZwAPGRwgA/9KLTdyNYRTGRwgBgz1AIN5pAHQHUOjQH8hlWMdF4C4EAIt11Il3DI1l9FteX13CDABgycMELgQAEMnDBDQlPQRVi+xXVlOD7AyJVfCL+bmk5nZo6ODrtmWLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGCxougIuAwDolFfy/4vwuRRAd2joqOu2ZVCLzjPS6D7rtmW5bCF7aOiU67ZlUIvOugEuAwDoJ+u2ZWoAVmoAi03sujQuAwA5CehDNqpki9i5ahosaLoCLgMA6EJX8v+L8LkUQHdo6E5W8v+JeARQi84z0ujp6rZluWwhe2joN1by/4vQi0UIiEIEUovOugEuAwDoyuq2ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lOlZIN4BAIPhcQuAwC5TK97aOj+6rZli9i5VhgsaLoCLgMA6M1W8v+L8P917IvOM9Lof+q2ZblsIXto6NXqtmVQi866AS4DAOho6rZlagBWagCLy7o0LgMAOQnohTWqZIvYuWoaLGi6Ai4DAOiEVvL/i/BXi84z0ug46rZluWwhe2johlXy/4vQi0XwiEIEUovOugEuAwDoGeq2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6O6ptmWNZfRbXl9dwgQAuUyve2joOuq2ZYvIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK97aOgU6rZliUXouVYYLGi6Ay4DAOjiVfL/i/D/deyLzjPS6JTptmW5bCF7aOjq6bZlUIvOugEuAwDofem2ZVOLzroCLgMA6HDptmVqAFZqAItN6Lo0LgMAOQnojDSqZIvYuWoaLGi6Ay4DAOiLVfL/i/BXi84z0ug/6bZluWwhe2jojVTy/4vQi0XwiEIEUovOugEuAwDoIOm2Zbks9XZo6G5U8v+L0DPJiUoEUovOugIuAwDoAum2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6NeotmWNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNj0E6fMStmUuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOT0E6V8StmWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1Ds9BOm3EbZlLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD49BOkjEbZlsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDPQTpuxC2ZS4DALhEPj0EkOg1CbZl6agLLgIAuLQ+PQSQ6CUJtmXpwB8uAgC48DY9BJDoFQm2ZemwvwcBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [10256]
2 C:\Windows\explorer.exe [4052]
3 C:\Windows\System32\userinit.exe [3840]

Thumbprint
f8d5985968c09417b4507e82e2afa9428666917065434014932f6b925a1a143d
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-10-06T19:20:05.230753100Z" />
<EventRecordID>1489</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell-XPS-8920</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data>
<Data>Shellcode</Data>
<Data>Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 10256
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

03C0D2A0 ffd2 CALL EDX
03C0D2A2 8b4de0 MOV ECX, [EBP-0x20]
03C0D2A5 8d6104 LEA ESP, [ECX+0x4]
03C0D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
03C0D2AC 833d4020de6900 CMP DWORD [0x69de2040], 0x0
03C0D2B3 7407 JZ 0x3c0d2bc
03C0D2B5 50 PUSH EAX
03C0D2B6 e8c526c865 CALL 0x6988f980
03C0D2BB 58 POP EAX
03C0D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
03C0D2C3 8b75d8 MOV ESI, [EBP-0x28]
03C0D2C6 89770c MOV [EDI+0xc], ESI
03C0D2C9 8d65f4 LEA ESP, [EBP-0xc]
03C0D2CC 5b POP EBX
03C0D2CD 5e POP ESI
03C0D2CE 5f POP EDI

----- SNIP HERE -----
AAMuAQDQwAOg0sADANDAAwAwAABXiw14+IEE6PTXqmSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+IEEi8jB+R+FyXUGiQKLwl/D6Jtl6mXMLgIA0L/DBKS/wwTAv8MEtACzBFWL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6dmnHRbiX8d7li0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGBBAB1BzPJ6K3zLgL/i885Cf8VqPmzBIlF3IX2dQQz0usOi1Yoi87/FQz7swSLVij/dQhS/3Xcx0XECAU9BItF1IllyMdFzPvQwAPGQAgA/xXYCD0Ei2XIg8QMi03UxkEIAYM9QCDeaQB0B1DoaSjIZVjHRcwuBACJRdjHReQuBADHRej8LgMAaEjRwAPrAItN3P8V5PmzBFj/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwcMELgQAiMHDBKD5swRVi+z/FbT5swRdwy4FAPTBwwQuBADswcMErPmzBFWL7Fb/FZQcPQSL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzCwwQuBAAEwsMEhBw9BFWL7FAzwIlF/LmkHD0E6O3ztmWJRfyNRfz/MOgAMbdli8jo+ceqZKM0/4EEi+VdwyTCwwQuBAAcwsMEjBw9BIsNNP+BBOjl1apkM9KJEMMuCAAwwsME/B49BFWL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+nZpx0XQl/He5YtHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNv2UzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotLAA8ZHCAD/0otN4I1hBMZHCAGDPUAg3mkAdAdQ6MUmyGVYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgLgLDBC4EABQuAsMEpPuzBFWL7FAzwIlF/LlMHz0E6M1d8v+JRfyLTfzomuNMZYtF/I0VHJVQEOhsFLZli+Vdw5guAsMETC4CwwSALgLDLgIE+7MEVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDrZli0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DrZliw0clVAQi1YoOAFWagHohtSoZMdF6C4EAMdF7PwuAwBor9PAA+sAi03c6JIStmVY/+DHReguBADHRez8LgMAaObTwAPrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dPAA+sAi03g6FYStmVY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxMMEHMTDBFDEwwQQ+7MEVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DbZli0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANtmWLDRyVUBCLVig5CeiP5bBkx0XoLgQAx0Xs/C4DAGiN1MAD6wCLTdjouxG2ZVj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUwAPrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UwAPrAItN3OhxEbZlWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxMMELgQA4MTDBNz5swRVi+wuAujlpGRdwy4GAMzFwwQuBACgxcMEmD3CA1WL7Fa5ThYsaLoJLgMA6I1c8v+L8P8VlD3CA4vIOAFqILpfLgMA6KXhz2VQi84z0ugr8LZl/zWMJFAQi866AS4DAOgZ8LZliw2QJFAQixWUJFAQ/xWsPcIDi8g4AWogul8uAwDoZ+HPZVCLzroCLgMA6OrvtmX/NZgkUBCLzroDLgMA6NjvtmWLDZAkUBCLFZwkUBD/Faw9wgOLyDgBaiC6Xy4DAOgm4c9lUIvOugQuAwDoqe+2Zf81jCRQEIvOugUuAwDol++2ZYsNoCRQEIsVpCRQEP8VrD3CA4vIOAFqILpfLgMA6OXgz2VQi866Bi4DAOho77Zl/zWMJFAQi866By4DAOhW77Zliw2gJFAQixWoJFAQ/xWsPcIDi8g4AWogul8uAwDopODPZVCLzroILgMA6CfvtmWLzuiw66RkXl3DLgUAJMfDBLzGwwQIx8MEjD3CA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlynWSJReCDfeAAdCGLFbAkUBCLTeDoYnKdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHnXwAPrAIN94AB0CYtN4P8V1AC1A1j/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlPQSJRdyDfdwAdCGLFbAkUBCLTdzo1nGdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHDXwAPrAIN93AB0CYtN3P8V0AC1A1j/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xS2ZYtF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx8MELgQAtMfDBBwlPQRVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN6pkhcB0GQ+2RQxQi86L1zkJ6EQJnWSNZfheX13CCACF9nQMi87/FTAlPQSFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlPQSLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCU9BI1l+F5fXcIILgIAnMjDBC4EAIjIwwQoJT0EVYvsV1aL8blMr3to6E/ttmWL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5nZodQLrDIvQuSTmdmjosay2ZYtABF5fXcNqJIsVvCRQEIvP6BsLqmSLyGoAi9aLAYtAOP8Qi/CBPhRAd2h0DIvWuRRAd2joSJDBZYtGBF5fXcMuCQDQyMME2CY9BFWL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+nZpx0XMl/He5YtHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGv2UzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZwAPGRwgA/9KLTdyNYRTGRwgBgz1AIN5pAHQHUOjQH8hlWMdF4C4EAIt11Il3DI1l9FteX13CDABgycMELgQAEMnDBDQlPQRVi+xXVlOD7AyJVfCL+bmk5nZo6ODrtmWLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGCxougIuAwDolFfy/4vwuRRAd2joqOu2ZVCLzjPS6D7rtmW5bCF7aOiU67ZlUIvOugEuAwDoJ+u2ZWoAVmoAi03sujQuAwA5CehDNqpki9i5ahosaLoCLgMA6EJX8v+L8LkUQHdo6E5W8v+JeARQi84z0ujp6rZluWwhe2joN1by/4vQi0UIiEIEUovOugEuAwDoyuq2ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lOlZIN4BAIPhcQuAwC5TK97aOj+6rZli9i5VhgsaLoCLgMA6M1W8v+L8P917IvOM9Lof+q2ZblsIXto6NXqtmVQi866AS4DAOho6rZlagBWagCLy7o0LgMAOQnohTWqZIvYuWoaLGi6Ai4DAOiEVvL/i/BXi84z0ug46rZluWwhe2johlXy/4vQi0XwiEIEUovOugEuAwDoGeq2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6O6ptmWNZfRbXl9dwgQAuUyve2joOuq2ZYvIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK97aOgU6rZliUXouVYYLGi6Ay4DAOjiVfL/i/D/deyLzjPS6JTptmW5bCF7aOjq6bZlUIvOugEuAwDofem2ZVOLzroCLgMA6HDptmVqAFZqAItN6Lo0LgMAOQnojDSqZIvYuWoaLGi6Ay4DAOiLVfL/i/BXi84z0ug/6bZluWwhe2jojVTy/4vQi0XwiEIEUovOugEuAwDoIOm2Zbks9XZo6G5U8v+L0DPJiUoEUovOugIuAwDoAum2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6NeotmWNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNj0E6fMStmUuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOT0E6V8StmWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1Ds9BOm3EbZlLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD49BOkjEbZlsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDPQTpuxC2ZS4DALhEPj0EkOg1CbZl6agLLgIAuLQ+PQSQ6CUJtmXpwB8uAgC48DY9BJDoFQm2ZemwvwcBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [10256]
2 C:\Windows\explorer.exe [4052]
3 C:\Windows\System32\userinit.exe [3840]

Thumbprint
f8d5985968c09417b4507e82e2afa9428666917065434014932f6b925a1a143d</Data>
</EventData>
</Event>

Spoiler: Shellcode Alert 2

Log Name: Application
Source: HitmanPro.Alert
Date: 10/06/18 15:06:55
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell-XPS-8920
Description:
Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 1696
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

0279D2A0 ffd2 CALL EDX
0279D2A2 8b4de0 MOV ECX, [EBP-0x20]
0279D2A5 8d6104 LEA ESP, [ECX+0x4]
0279D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
0279D2AC 833d4020366900 CMP DWORD [0x69362040], 0x0
0279D2B3 7407 JZ 0x279d2bc
0279D2B5 50 PUSH EAX
0279D2B6 e8c5266766 CALL 0x68e0f980
0279D2BB 58 POP EAX
0279D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
0279D2C3 8b75d8 MOV ESI, [EBP-0x28]
0279D2C6 89770c MOV [EDI+0xc], ESI
0279D2C9 8d65f4 LEA ESP, [EBP-0xc]
0279D2CC 5b POP EBX
0279D2CD 5e POP ESI
0279D2CE 5f POP EDI

----- SNIP HERE -----
AAMuAQDQeQKg0nkCANB5AgAwAABXiw14+KcD6PTXSWWL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+KcDi8jB+R+FyXUGiQKLwl/D6JtliWbMLgIA0L/oA6S/6APAv+gDtADYA1WL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6zmjHRbgWgc42i0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGnAwB1BzPJ6K3zLgL/i885Cf8VqPnYA4lF3IX2dQQz0usOi1Yoi87/FQz72AOLVij/dQhS/3Xcx0XECAVZA4tF1IllyMdFzPvQeQLGQAgA/xXYCFkDi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShnZljHRcwuBACJRdjHReQuBADHRej8LgMAaEjReQLrAItN3P8V5PnYA1j/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwegDLgQAiMHoA6D52ANVi+z/FbT52ANdwy4FAPTB6AMuBADswegDrPnYA1WL7Fb/FZQcWQOL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzC6AMuBAAEwugDhBxZA1WL7FAzwIlF/LmkHFkD6O3zVWaJRfyNRfz/MOgAMVZmi8jo+cdJZaM0/6cDi+VdwyTC6AMuBAAcwugDjBxZA4sNNP+nA+jl1UllM9KJEMMuCAAwwugD/B5ZA1WL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+s5ox0XQFoHONotHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNXmYzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotJ5AsZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmZ2ZYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgw+gDLgQAFMPoA6T72ANVi+xQM8CJRfy5TB9ZA+jNXcX/iUX8i0386Jrj62WLRfyNFRyVUBDobBRVZovlXcOYw+gDTMPoA4DD6AME+9gDVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDlVmi0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DlVmiw0clVAQi1YoOAFWagHohtRHZcdF6C4EAMdF7PwuAwBor9N5AusAi03c6JISVWZY/+DHReguBADHRez8LgMAaObTeQLrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dN5AusAi03g6FYSVWZY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxOgDHMToA1DE6AMQ+9gDVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DVVmi0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANVWaLDRyVUBCLVig5CeiP5U9lx0XoLgQAx0Xs/C4DAGiN1HkC6wCLTdjouxFVZlj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUeQLrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UeQLrAItN3OhxEVVmWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxOgDLgQA4MToA9z52ANVi+wuAujlQ2Vdwy4GAMzF6AMuBACgxegDmD1XA1WL7Fa5ThaEZ7oJLgMA6I1cxf+L8P8VlD1XA4vIOAFqILpfLgMA6KXhbmZQi84z0ugr8FVm/zWMJFAQi866AS4DAOgZ8FVmiw2QJFAQixWUJFAQ/xWsPVcDi8g4AWogul8uAwDoZ+FuZlCLzroCLgMA6OrvVWb/NZgkUBCLzroDLgMA6NjvVWaLDZAkUBCLFZwkUBD/Faw9VwOLyDgBaiC6Xy4DAOgm4W5mUIvOugQuAwDoqe9VZv81jCRQEIvOugUuAwDol+9VZosNoCRQEIsVpCRQEP8VrD1XA4vIOAFqILpfLgMA6OXgbmZQi866Bi4DAOho71Vm/zWMJFAQi866By4DAOhW71Vmiw2gJFAQixWoJFAQ/xWsPVcDi8g4AWogul8uAwDopOBuZlCLzroILgMA6CfvVWaLzuiw60NlXl3DLgUAJMfoA7zG6AMIx+gDjD1XA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlyPGWJReCDfeAAdCGLFbAkUBCLTeDoYnI8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHnXeQLrAIN94AB0CYtN4P8V1ABSAlj/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlWQOJRdyDfdwAdCGLFbAkUBCLTdzo1nE8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHDXeQLrAIN93AB0CYtN3P8V0ABSAlj/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xRVZotF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx+gDLgQAtMfoAxwlWQNVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN0llhcB0GQ+2RQxQi86L1zkJ6EQJPGWNZfheX13CCACF9nQMi87/FTAlWQOFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlWQOLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCVZA41l+F5fXcIILgIAnMjoAy4EAIjI6AMoJVkDVYvsV1aL8blMr9Nn6E/tVWaL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5s5ndQLrDIvQuSTmzmfosaxVZotABF5fXcNqJIsVvCRQEIvP6BsLSWWLyGoAi9aLAYtAOP8Qi/CBPhRAz2d0DIvWuRRAz2foSJBgZotGBF5fXcMuCQDQyOgD2CZZA1WL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+s5ox0XMFoHONotHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGXmYzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZeQLGRwgA/9KLTdyNYRTGRwgBgz1AIDZpAHQHUOjQH2dmWMdF4C4EAIt11Il3DI1l9FteX13CDABgyegDLgQAEMnoAzQlWQNVi+xXVlOD7AyJVfCL+bmk5s5n6ODrVWaLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGIRnugIuAwDolFfF/4vwuRRAz2foqOtVZlCLzjPS6D7rVWa5bCHTZ+iU61VmUIvOugEuAwDoJ+tVZmoAVmoAi03sujQuAwA5CehDNklli9i5ahqEZ7oCLgMA6EJXxf+L8LkUQM9n6E5Wxf+JeARQi84z0ujp6lVmuWwh02foN1bF/4vQi0UIiEIEUovOugEuAwDoyupVZmoAVmoAi8sz0osBi0BM/1AEi/jo6lNEZYN4BAIPhcQuAwC5TK/TZ+j+6lVmi9i5VhiEZ7oCLgMA6M1Wxf+L8P917IvOM9Lof+pVZrlsIdNn6NXqVWZQi866AS4DAOho6lVmagBWagCLy7o0LgMAOQnohTVJZYvYuWoahGe6Ai4DAOiEVsX/i/BXi84z0ug46lVmuWwh02fohlXF/4vQi0XwiEIEUovOugEuAwDoGepVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6O6pVWaNZfRbXl9dwgQAuUyv02foOupVZovIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK/TZ+gU6lVmiUXouVYYhGe6Ay4DAOjiVcX/i/D/deyLzjPS6JTpVWa5bCHTZ+jq6VVmUIvOugEuAwDofelVZlOLzroCLgMA6HDpVWZqAFZqAItN6Lo0LgMAOQnojDRJZYvYuWoahGe6Ay4DAOiLVcX/i/BXi84z0ug/6VVmuWwh02fojVTF/4vQi0XwiEIEUovOugEuAwDoIOlVZrks9c5n6G5Uxf+L0DPJiUoEUovOugIuAwDoAulVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6NeoVWaNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNlkD6fMSVWYuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOVkD6V8SVWawXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1DtZA+m3EVVmLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD5ZA+kjEVVmsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDWQPpuxBVZi4DALhEPlkDkOg1CVVm6agLLgIAuLQ+WQOQ6CUJVWbpwB8uAgC48DZZA5DoFQlVZumwv3MBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [1696]
2 C:\Windows\explorer.exe [1156]

Thumbprint
bdaaf3be0bcfff8e106f17be328b3a148c03e34d3b10cd03618dd5c2b00fec7e
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-10-06T19:06:55.947300600Z" />
<EventRecordID>1443</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell-XPS-8920</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data>
<Data>Shellcode</Data>
<Data>Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 1696
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

0279D2A0 ffd2 CALL EDX
0279D2A2 8b4de0 MOV ECX, [EBP-0x20]
0279D2A5 8d6104 LEA ESP, [ECX+0x4]
0279D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
0279D2AC 833d4020366900 CMP DWORD [0x69362040], 0x0
0279D2B3 7407 JZ 0x279d2bc
0279D2B5 50 PUSH EAX
0279D2B6 e8c5266766 CALL 0x68e0f980
0279D2BB 58 POP EAX
0279D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
0279D2C3 8b75d8 MOV ESI, [EBP-0x28]
0279D2C6 89770c MOV [EDI+0xc], ESI
0279D2C9 8d65f4 LEA ESP, [EBP-0xc]
0279D2CC 5b POP EBX
0279D2CD 5e POP ESI
0279D2CE 5f POP EDI

----- SNIP HERE -----
AAMuAQDQeQKg0nkCANB5AgAwAABXiw14+KcD6PTXSWWL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+KcDi8jB+R+FyXUGiQKLwl/D6JtliWbMLgIA0L/oA6S/6APAv+gDtADYA1WL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6zmjHRbgWgc42i0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGnAwB1BzPJ6K3zLgL/i885Cf8VqPnYA4lF3IX2dQQz0usOi1Yoi87/FQz72AOLVij/dQhS/3Xcx0XECAVZA4tF1IllyMdFzPvQeQLGQAgA/xXYCFkDi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShnZljHRcwuBACJRdjHReQuBADHRej8LgMAaEjReQLrAItN3P8V5PnYA1j/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwegDLgQAiMHoA6D52ANVi+z/FbT52ANdwy4FAPTB6AMuBADswegDrPnYA1WL7Fb/FZQcWQOL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzC6AMuBAAEwugDhBxZA1WL7FAzwIlF/LmkHFkD6O3zVWaJRfyNRfz/MOgAMVZmi8jo+cdJZaM0/6cDi+VdwyTC6AMuBAAcwugDjBxZA4sNNP+nA+jl1UllM9KJEMMuCAAwwugD/B5ZA1WL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+s5ox0XQFoHONotHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNXmYzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotJ5AsZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmZ2ZYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgw+gDLgQAFMPoA6T72ANVi+xQM8CJRfy5TB9ZA+jNXcX/iUX8i0386Jrj62WLRfyNFRyVUBDobBRVZovlXcOYw+gDTMPoA4DD6AME+9gDVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDlVmi0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DlVmiw0clVAQi1YoOAFWagHohtRHZcdF6C4EAMdF7PwuAwBor9N5AusAi03c6JISVWZY/+DHReguBADHRez8LgMAaObTeQLrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dN5AusAi03g6FYSVWZY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxOgDHMToA1DE6AMQ+9gDVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DVVmi0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANVWaLDRyVUBCLVig5CeiP5U9lx0XoLgQAx0Xs/C4DAGiN1HkC6wCLTdjouxFVZlj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUeQLrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UeQLrAItN3OhxEVVmWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxOgDLgQA4MToA9z52ANVi+wuAujlQ2Vdwy4GAMzF6AMuBACgxegDmD1XA1WL7Fa5ThaEZ7oJLgMA6I1cxf+L8P8VlD1XA4vIOAFqILpfLgMA6KXhbmZQi84z0ugr8FVm/zWMJFAQi866AS4DAOgZ8FVmiw2QJFAQixWUJFAQ/xWsPVcDi8g4AWogul8uAwDoZ+FuZlCLzroCLgMA6OrvVWb/NZgkUBCLzroDLgMA6NjvVWaLDZAkUBCLFZwkUBD/Faw9VwOLyDgBaiC6Xy4DAOgm4W5mUIvOugQuAwDoqe9VZv81jCRQEIvOugUuAwDol+9VZosNoCRQEIsVpCRQEP8VrD1XA4vIOAFqILpfLgMA6OXgbmZQi866Bi4DAOho71Vm/zWMJFAQi866By4DAOhW71Vmiw2gJFAQixWoJFAQ/xWsPVcDi8g4AWogul8uAwDopOBuZlCLzroILgMA6CfvVWaLzuiw60NlXl3DLgUAJMfoA7zG6AMIx+gDjD1XA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlyPGWJReCDfeAAdCGLFbAkUBCLTeDoYnI8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHnXeQLrAIN94AB0CYtN4P8V1ABSAlj/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlWQOJRdyDfdwAdCGLFbAkUBCLTdzo1nE8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHDXeQLrAIN93AB0CYtN3P8V0ABSAlj/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xRVZotF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx+gDLgQAtMfoAxwlWQNVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN0llhcB0GQ+2RQxQi86L1zkJ6EQJPGWNZfheX13CCACF9nQMi87/FTAlWQOFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlWQOLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCVZA41l+F5fXcIILgIAnMjoAy4EAIjI6AMoJVkDVYvsV1aL8blMr9Nn6E/tVWaL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5s5ndQLrDIvQuSTmzmfosaxVZotABF5fXcNqJIsVvCRQEIvP6BsLSWWLyGoAi9aLAYtAOP8Qi/CBPhRAz2d0DIvWuRRAz2foSJBgZotGBF5fXcMuCQDQyOgD2CZZA1WL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+s5ox0XMFoHONotHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGXmYzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZeQLGRwgA/9KLTdyNYRTGRwgBgz1AIDZpAHQHUOjQH2dmWMdF4C4EAIt11Il3DI1l9FteX13CDABgyegDLgQAEMnoAzQlWQNVi+xXVlOD7AyJVfCL+bmk5s5n6ODrVWaLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGIRnugIuAwDolFfF/4vwuRRAz2foqOtVZlCLzjPS6D7rVWa5bCHTZ+iU61VmUIvOugEuAwDoJ+tVZmoAVmoAi03sujQuAwA5CehDNklli9i5ahqEZ7oCLgMA6EJXxf+L8LkUQM9n6E5Wxf+JeARQi84z0ujp6lVmuWwh02foN1bF/4vQi0UIiEIEUovOugEuAwDoyupVZmoAVmoAi8sz0osBi0BM/1AEi/jo6lNEZYN4BAIPhcQuAwC5TK/TZ+j+6lVmi9i5VhiEZ7oCLgMA6M1Wxf+L8P917IvOM9Lof+pVZrlsIdNn6NXqVWZQi866AS4DAOho6lVmagBWagCLy7o0LgMAOQnohTVJZYvYuWoahGe6Ai4DAOiEVsX/i/BXi84z0ug46lVmuWwh02fohlXF/4vQi0XwiEIEUovOugEuAwDoGepVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6O6pVWaNZfRbXl9dwgQAuUyv02foOupVZovIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK/TZ+gU6lVmiUXouVYYhGe6Ay4DAOjiVcX/i/D/deyLzjPS6JTpVWa5bCHTZ+jq6VVmUIvOugEuAwDofelVZlOLzroCLgMA6HDpVWZqAFZqAItN6Lo0LgMAOQnojDRJZYvYuWoahGe6Ay4DAOiLVcX/i/BXi84z0ug/6VVmuWwh02fojVTF/4vQi0XwiEIEUovOugEuAwDoIOlVZrks9c5n6G5Uxf+L0DPJiUoEUovOugIuAwDoAulVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6NeoVWaNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNlkD6fMSVWYuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOVkD6V8SVWawXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1DtZA+m3EVVmLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD5ZA+kjEVVmsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDWQPpuxBVZi4DALhEPlkDkOg1CVVm6agLLgIAuLQ+WQOQ6CUJVWbpwB8uAgC48DZZA5DoFQlVZumwv3MBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [1696]
2 C:\Windows\explorer.exe [1156]

Thumbprint
bdaaf3be0bcfff8e106f17be328b3a148c03e34d3b10cd03618dd5c2b00fec7e</Data>
</EventData>
</Event>

Spoiler: Shellcode Alert 3

Log Name: Application
Source: HitmanPro.Alert
Date: 10/06/18 15:02:26
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell-XPS-8920
Description:
Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 13028
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

039AD2A0 ffd2 CALL EDX
039AD2A2 8b4de0 MOV ECX, [EBP-0x20]
039AD2A5 8d6104 LEA ESP, [ECX+0x4]
039AD2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
039AD2AC 833d4020366900 CMP DWORD [0x69362040], 0x0
039AD2B3 7407 JZ 0x39ad2bc
039AD2B5 50 PUSH EAX
039AD2B6 e8c5264665 CALL 0x68e0f980
039AD2BB 58 POP EAX
039AD2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
039AD2C3 8b75d8 MOV ESI, [EBP-0x28]
039AD2C6 89770c MOV [EDI+0xc], ESI
039AD2C9 8d65f4 LEA ESP, [EBP-0xc]
039AD2CC 5b POP EBX
039AD2CD 5e POP ESI
039AD2CE 5f POP EDI

----- SNIP HERE -----
AANaAQDQmgOg0poDANCaAwAwAABXiw14+EgE6PTXKGSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+EgEi8jB+R+FyXUGiQKLwl/D6JtlaGXMWgIA0L+aBKS/mgTAv5oEtACKBFWL7FdWU4PsPIvxjX3UuQdaAwAzwPOri85kizUoDloCAIl11MdFvPD6zmjHRbhKf3pri0YMiUXAiW3Qx0XMWgQAjUW8iUYMi/mL8oA95PFIBAB1BzPJ6K3zWgL/i885Cf8VqPmKBIlF3IX2dQQz0usOi1Yoi87/FQz7igSLVij/dQhS/3Xcx0XECAUDBItF1IllyMdFzPvQmgPGQAgA/xXYCAMEi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShGZVjHRcxaBACJRdjHReRaBADHRej8WgMAaEjRmgPrAItN3P8V5PmKBFj/4ItF2OsJx0XoWgQA6/KLddSLfcCJfgyNZfRbXl9dwgRaDQCQwZoEWgQAiMGaBKD5igRVi+z/FbT5igRdw1oFAPTBmgRaBADswZoErPmKBFWL7Fb/FZQcAwSL8DPJ6Nn5WgL/iQaLxl5dw1oGAAzCmgRaBAAEwpoEhBwDBFWL7FAzwIlF/LmkHAME6O3zNGWJRfyNRfz/MOgAMTVli8jo+ccoZKM0/0gEi+VdwyTCmgRaBAAcwpoEjBwDBIsNNP9IBOjl1ShkM9KJEMNaCAAwwpoE/B4DBFWL7FdWU4PsJIlF7DPSiVXwZIs9KA5aAgDHRdTw+s5ox0XQSn96a4tHDIlF2Ilt6MdF5FoEAI1F1IlHDIvxi03s6ArNPWUzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwEWgMAiWXgx0XkotKaA8ZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmRmVYx0XkWgQAi3XYiXcMjWX0W15fXcNaBwAgw5oEWgQAFMOaBKT7igRVi+xQM8CJRfy5TB8DBOjNXVb/iUX8i0386JrjymSLRfyNFRyVUBDobBQ0ZYvlXcOYw5oETMOaBIDDmloCBPuKBFWL7FdWg+wci/GNfdy5BloDADPA86uLzovxiXXgi87oVQ40ZYtGJECJRiSD+AF1QqEclVAQiUXci8joOg40ZYsNHJVQEItWKDgBVmoB6IbUJmTHRehaBADHRez8WgMAaK/TmgPrAItN3OiSEjRlWP/gx0XoWgQAx0Xs/FoDAGjm05oD6xzHRexaBADHRehaBADHRez8WgMAaN3TmgPrAItN4OhWEjRlWP/gjWX4Xl9dw8dF7FoEAOvwx0XsWgQA6+cAaMSaBBzEmgRQxJoEEPuKBFWL7FdWg+wgi/GNfdi5B1oDADPA86uLzovxiXXci87ofQ00ZYtGJEiJReCJRiSFwHVkoRyVUBCJRdiLyOhgDTRliw0clVAQi1YoOQnoj+UuZMdF6FoEAMdF7PxaAwBojdSaA+sAi03Y6LsRNGVY/+DHReABWgMAx0XoWgQAx0Xs/FoDAGjF1JoD6yPHRexaBADr2zPSiVXgx0XoWgQAx0Xs/FoDAGjO1JoD6wCLTdzocRE0ZVj/4ItF4I1l+F5fXcPHRexaBADr7cdF7FoEAOvkWgkA6MSaBFoEAODEmgTc+YoEVYvsWgLo5SJkXcNaBgDMxZoEWgQAoMWaBJg9AQRVi+xWuU4WhGe6CVoDAOiNXFb/i/D/FZQ9AQSLyDgBaiC6X1oDAOil4U1lUIvOM9LoK/A0Zf81jCRQEIvOugFaAwDoGfA0ZYsNkCRQEIsVlCRQEP8VrD0BBIvIOAFqILpfWgMA6GfhTWVQi866AloDAOjq7zRl/zWYJFAQi866A1oDAOjY7zRliw2QJFAQixWcJFAQ/xWsPQEEi8g4AWogul9aAwDoJuFNZVCLzroEWgMA6KnvNGX/NYwkUBCLzroFWgMA6JfvNGWLDaAkUBCLFaQkUBD/Faw9AQSLyDgBaiC6X1oDAOjl4E1lUIvOugZaAwDoaO80Zf81jCRQEIvOugdaAwDoVu80ZYsNoCRQEIsVqCRQEP8VrD0BBIvIOAFqILpfWgMA6KTgTWVQi866CFoDAOgn7zRli87osOsiZF5dw1oFACTHmgS8xpoECMeaBIw9AQRVi+xXg+wgjX3cuQdaAwAzwPOrM9KJVeSLDTQQUBCLFawkUBA5CehpchtkiUXgg33gAHQhixWwJFAQi03g6GJyG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGh515oD6wCDfeAAdAmLTeD/FdQAfANY/+CDfeQAdA+LReSDeAQAD5TAD7bA6wW4AVoDAIXAD1oChFoDAGoAaAABWgIAiw00EFAQixWsJFAQ/xUkJQMEiUXcg33cAHQhixWwJFAQi03c6NZxG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGhw15oD6wCDfdwAdAmLTdz/FdAAfANY/+DHRfBaBADrEcdF8FoEAOlfWgP/6OcUNGWLReSFwHUGiwUAI1AQjWX8X13DWgMAyMeaBFoEALTHmgQcJQMEVYvsV1aD7AgzwIlF8Ivxi/qLDbQkUBDoxDcoZIXAdBkPtkUMUIvOi9c5CehECRtkjWX4Xl9dwggAhfZ0DIvO/xUwJQMEhcB1CzPAjWX4Xl9dwggAx0X0GQACAA+2RQyFwHQHx0X0BgACAIvO/xUwJQMEi8hqAItF9AtFCFCNRfBQi9fo1PNaAv+FwHQLM8CNZfheX13CCACLTfBqAA+2VQz/FTwlAwSNZfheX13CCFoCAJzImgRaBACIyJoEKCUDBFWL7FdWi/G5TK/TZ+hP7TRli/hqJIsVuCRQEIvPiwGLQET/UASFwHQti8iL1osBi0A0/1AMhcB0FoE4JObOZ3UC6wyL0Lkk5s5n6LGsNGWLQAReX13DaiSLFbwkUBCLz+gbCyhki8hqAIvWiwGLQDj/EIvwgT4UQM9ndAyL1rkUQM9n6EiQP2WLRgReX13DWgkA0MiaBNgmAwRVi+xXVlOD7CiJRegz24ld8Ild7GSLPSgOWgIAx0XQ8PrOaMdFzEp/emuLRwyJRdSJbeTHReBaBACNRdCJRwyL2Yvyi01aAuglxj1lM8mF9nQGiXXwjU4Ii0UIiUXsi0Xoi0AUixD/dQj/dQz/dRBRU8dF2BRaAwCJZdzHReCX2ZoDxkcIAP/Si03cjWEUxkcIAYM9QCA2aQB0B1Do0B9GZVjHReBaBACLddSJdwyNZfRbXl9dwgwAYMmaBFoEABDJmgQ0JQMEVYvsV1ZTg+wMiVXwi/m5pObOZ+jg6zRli8iLAYtAOP9QBIvIixXAJFAQiwGLQCz/UBSJRey5VhiEZ7oCWgMA6JRXVv+L8LkUQM9n6KjrNGVQi84z0ug+6zRluWwh02folOs0ZVCLzroBWgMA6CfrNGVqAFZqAItN7Lo0WgMAOQnoQzYoZIvYuWoahGe6AloDAOhCV1b/i/C5FEDPZ+hOWgJW/4l4BFCLzjPS6OnqNGW5bCHTZ+g3WgJW/4vQi0UIiEIEUovOugFaAwDoyuo0ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lMjZIN4BAIPhcRaAwC5TK/TZ+j+6jRli9i5VhiEZ7oCWgMA6M1aAlb/i/D/deyLzjPS6H/qNGW5bCHTZ+jV6jRlUIvOugFaAwDoaOo0ZWoAVmoAi8u6NFoDADkJ6IU1KGSL2LlqGoRnugJaAwDohFoCVv+L8FeLzjPS6DjqNGW5bCHTZ+iGVVb/i9CLRfCIQgRSi866AVoDAOgZ6jRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo7qk0ZY1l9FteX13CBAC5TK/TZ+g66jRli8iLAYtAOP9QBIvIixXEJFAQiwGLQCz/UBSL2LlMr9Nn6BTqNGWJRei5VhiEZ7oDWgMA6OJVVv+L8P917IvOM9LolOk0ZblsIdNn6OrpNGVQi866AVoDAOh96TRlU4vOugJaAwDocOk0ZWoAVmoAi03oujRaAwA5CeiMNChki9i5ahqEZ7oDWgMA6ItVVv+L8FeLzjPS6D/pNGW5bCHTZ+iNVFb/i9CLRfCIQgRSi866AVoDAOgg6TRluSz1zmfoblRW/4vQM8mJSgRSi866AloDAOgC6TRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo16g0ZY1l9FteX13CBFoCAAJaBACwAOt4sAPrdLAG63CwCetssAzraLAP62SwE+tgsBXrXLAY61iwG+tUsB3rULAf60ywIetIsCPrRLAl60CwJ+s8sCrrOLAt6zSwMOswsDPrLLA26yiwOesksDzrILA/6xywQesYsEPrFLBG6xCwSesMsEzrCLBP6wSwUusAD7bAweACBVQ2AwTp8xI0ZVoEALAA63ywA+t4sAbrdLAI63CwC+tssA7raLAR62SwFOtgsBfrXLAa61iwHetUsCDrULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksEPrILBF6xywSOsYsEvrFLBN6xCwUOsMsFPrCLBW6wSwWesAD7bAweACBRQ5AwTpXxI0ZbBc6+ywX+vosGLr5LBl6+CwaOvcsGvr2LBu69SwcevQsHTrzLB368iweuvEsH3rwLCA67ywg+u4sIbrtLCJ61oCsIzrrLCP66iwkuuksJXroLCY65ywm+uYsJ7rlLCh65CwpOuMsKfriLCq64SwreuAsADrJLAD6yCwBuscsAnrGLAM6xSwD+sQsBHrDLAT6wiwFesEsBjrAA+2wMHgAgXUOwME6bcRNGVaBACwAOt8sALreLAF63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwIutMsCTrSLAn60SwKutAsC3rPLAw6ziwM+s0sDbrMLA56yywPOsosD/rJLBC6yCwRescsEjrGLBK6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUMPgME6SMRNGWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0FoEALAA6zCwA+sssAbrKLAJ6ySwDOsgsA/rHLAR6xiwFOsUsBfrELAZ6wywHOsIsB/rBLAi6wAPtsDB4AIF0EMDBOm7EDRlWgMAuEQ+AwSQ6DUJNGXpqAtaAgC4tD4DBJDoJQk0ZenAH1oCALjwNgMEkOgVCTRl6bC/BAEAsADrfLAD63iwBut0sAnrcLAM62ywD+tosBLrZLAV62CwF+tcsBrrWLAc61SwH+tQsCPrTLAm60iwKetEsCzrQLAv6zywMus4sDXrNLA46zCwO+sssD7rKLBB6ySwROs=
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [13028]
2 C:\Windows\explorer.exe [1156]

Thumbprint
591157568d3be27e764a1b9cc30d9ef87466241ef7f77438b8515bb64f5f7f3f
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-10-06T19:02:26.537549300Z" />
<EventRecordID>1442</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell-XPS-8920</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data>
<Data>Shellcode</Data>
<Data>Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_9e
PID 13028
Feature 00071A341FBF91B6
Application C:\Program Files (x86)\eM Client\MailClient.exe
Description eM Client 7.1

Shellcode (HHP) (0x0008A000 bytes)

039AD2A0 ffd2 CALL EDX
039AD2A2 8b4de0 MOV ECX, [EBP-0x20]
039AD2A5 8d6104 LEA ESP, [ECX+0x4]
039AD2A8 c6470801 MOV BYTE [EDI+0x8], 0x1
039AD2AC 833d4020366900 CMP DWORD [0x69362040], 0x0
039AD2B3 7407 JZ 0x39ad2bc
039AD2B5 50 PUSH EAX
039AD2B6 e8c5264665 CALL 0x68e0f980
039AD2BB 58 POP EAX
039AD2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0
039AD2C3 8b75d8 MOV ESI, [EBP-0x28]
039AD2C6 89770c MOV [EDI+0xc], ESI
039AD2C9 8d65f4 LEA ESP, [EBP-0xc]
039AD2CC 5b POP EBX
039AD2CD 5e POP ESI
039AD2CE 5f POP EDI

----- SNIP HERE -----
AANaAQDQmgOg0poDANCaAwAwAABXiw14+EgE6PTXKGSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+EgEi8jB+R+FyXUGiQKLwl/D6JtlaGXMWgIA0L+aBKS/mgTAv5oEtACKBFWL7FdWU4PsPIvxjX3UuQdaAwAzwPOri85kizUoDloCAIl11MdFvPD6zmjHRbhKf3pri0YMiUXAiW3Qx0XMWgQAjUW8iUYMi/mL8oA95PFIBAB1BzPJ6K3zWgL/i885Cf8VqPmKBIlF3IX2dQQz0usOi1Yoi87/FQz7igSLVij/dQhS/3Xcx0XECAUDBItF1IllyMdFzPvQmgPGQAgA/xXYCAMEi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShGZVjHRcxaBACJRdjHReRaBADHRej8WgMAaEjRmgPrAItN3P8V5PmKBFj/4ItF2OsJx0XoWgQA6/KLddSLfcCJfgyNZfRbXl9dwgRaDQCQwZoEWgQAiMGaBKD5igRVi+z/FbT5igRdw1oFAPTBmgRaBADswZoErPmKBFWL7Fb/FZQcAwSL8DPJ6Nn5WgL/iQaLxl5dw1oGAAzCmgRaBAAEwpoEhBwDBFWL7FAzwIlF/LmkHAME6O3zNGWJRfyNRfz/MOgAMTVli8jo+ccoZKM0/0gEi+VdwyTCmgRaBAAcwpoEjBwDBIsNNP9IBOjl1ShkM9KJEMNaCAAwwpoE/B4DBFWL7FdWU4PsJIlF7DPSiVXwZIs9KA5aAgDHRdTw+s5ox0XQSn96a4tHDIlF2Ilt6MdF5FoEAI1F1IlHDIvxi03s6ArNPWUzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwEWgMAiWXgx0XkotKaA8ZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmRmVYx0XkWgQAi3XYiXcMjWX0W15fXcNaBwAgw5oEWgQAFMOaBKT7igRVi+xQM8CJRfy5TB8DBOjNXVb/iUX8i0386JrjymSLRfyNFRyVUBDobBQ0ZYvlXcOYw5oETMOaBIDDmloCBPuKBFWL7FdWg+wci/GNfdy5BloDADPA86uLzovxiXXgi87oVQ40ZYtGJECJRiSD+AF1QqEclVAQiUXci8joOg40ZYsNHJVQEItWKDgBVmoB6IbUJmTHRehaBADHRez8WgMAaK/TmgPrAItN3OiSEjRlWP/gx0XoWgQAx0Xs/FoDAGjm05oD6xzHRexaBADHRehaBADHRez8WgMAaN3TmgPrAItN4OhWEjRlWP/gjWX4Xl9dw8dF7FoEAOvwx0XsWgQA6+cAaMSaBBzEmgRQxJoEEPuKBFWL7FdWg+wgi/GNfdi5B1oDADPA86uLzovxiXXci87ofQ00ZYtGJEiJReCJRiSFwHVkoRyVUBCJRdiLyOhgDTRliw0clVAQi1YoOQnoj+UuZMdF6FoEAMdF7PxaAwBojdSaA+sAi03Y6LsRNGVY/+DHReABWgMAx0XoWgQAx0Xs/FoDAGjF1JoD6yPHRexaBADr2zPSiVXgx0XoWgQAx0Xs/FoDAGjO1JoD6wCLTdzocRE0ZVj/4ItF4I1l+F5fXcPHRexaBADr7cdF7FoEAOvkWgkA6MSaBFoEAODEmgTc+YoEVYvsWgLo5SJkXcNaBgDMxZoEWgQAoMWaBJg9AQRVi+xWuU4WhGe6CVoDAOiNXFb/i/D/FZQ9AQSLyDgBaiC6X1oDAOil4U1lUIvOM9LoK/A0Zf81jCRQEIvOugFaAwDoGfA0ZYsNkCRQEIsVlCRQEP8VrD0BBIvIOAFqILpfWgMA6GfhTWVQi866AloDAOjq7zRl/zWYJFAQi866A1oDAOjY7zRliw2QJFAQixWcJFAQ/xWsPQEEi8g4AWogul9aAwDoJuFNZVCLzroEWgMA6KnvNGX/NYwkUBCLzroFWgMA6JfvNGWLDaAkUBCLFaQkUBD/Faw9AQSLyDgBaiC6X1oDAOjl4E1lUIvOugZaAwDoaO80Zf81jCRQEIvOugdaAwDoVu80ZYsNoCRQEIsVqCRQEP8VrD0BBIvIOAFqILpfWgMA6KTgTWVQi866CFoDAOgn7zRli87osOsiZF5dw1oFACTHmgS8xpoECMeaBIw9AQRVi+xXg+wgjX3cuQdaAwAzwPOrM9KJVeSLDTQQUBCLFawkUBA5CehpchtkiUXgg33gAHQhixWwJFAQi03g6GJyG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGh515oD6wCDfeAAdAmLTeD/FdQAfANY/+CDfeQAdA+LReSDeAQAD5TAD7bA6wW4AVoDAIXAD1oChFoDAGoAaAABWgIAiw00EFAQixWsJFAQ/xUkJQMEiUXcg33cAHQhixWwJFAQi03c6NZxG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGhw15oD6wCDfdwAdAmLTdz/FdAAfANY/+DHRfBaBADrEcdF8FoEAOlfWgP/6OcUNGWLReSFwHUGiwUAI1AQjWX8X13DWgMAyMeaBFoEALTHmgQcJQMEVYvsV1aD7AgzwIlF8Ivxi/qLDbQkUBDoxDcoZIXAdBkPtkUMUIvOi9c5CehECRtkjWX4Xl9dwggAhfZ0DIvO/xUwJQMEhcB1CzPAjWX4Xl9dwggAx0X0GQACAA+2RQyFwHQHx0X0BgACAIvO/xUwJQMEi8hqAItF9AtFCFCNRfBQi9fo1PNaAv+FwHQLM8CNZfheX13CCACLTfBqAA+2VQz/FTwlAwSNZfheX13CCFoCAJzImgRaBACIyJoEKCUDBFWL7FdWi/G5TK/TZ+hP7TRli/hqJIsVuCRQEIvPiwGLQET/UASFwHQti8iL1osBi0A0/1AMhcB0FoE4JObOZ3UC6wyL0Lkk5s5n6LGsNGWLQAReX13DaiSLFbwkUBCLz+gbCyhki8hqAIvWiwGLQDj/EIvwgT4UQM9ndAyL1rkUQM9n6EiQP2WLRgReX13DWgkA0MiaBNgmAwRVi+xXVlOD7CiJRegz24ld8Ild7GSLPSgOWgIAx0XQ8PrOaMdFzEp/emuLRwyJRdSJbeTHReBaBACNRdCJRwyL2Yvyi01aAuglxj1lM8mF9nQGiXXwjU4Ii0UIiUXsi0Xoi0AUixD/dQj/dQz/dRBRU8dF2BRaAwCJZdzHReCX2ZoDxkcIAP/Si03cjWEUxkcIAYM9QCA2aQB0B1Do0B9GZVjHReBaBACLddSJdwyNZfRbXl9dwgwAYMmaBFoEABDJmgQ0JQMEVYvsV1ZTg+wMiVXwi/m5pObOZ+jg6zRli8iLAYtAOP9QBIvIixXAJFAQiwGLQCz/UBSJRey5VhiEZ7oCWgMA6JRXVv+L8LkUQM9n6KjrNGVQi84z0ug+6zRluWwh02folOs0ZVCLzroBWgMA6CfrNGVqAFZqAItN7Lo0WgMAOQnoQzYoZIvYuWoahGe6AloDAOhCV1b/i/C5FEDPZ+hOWgJW/4l4BFCLzjPS6OnqNGW5bCHTZ+g3WgJW/4vQi0UIiEIEUovOugFaAwDoyuo0ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lMjZIN4BAIPhcRaAwC5TK/TZ+j+6jRli9i5VhiEZ7oCWgMA6M1aAlb/i/D/deyLzjPS6H/qNGW5bCHTZ+jV6jRlUIvOugFaAwDoaOo0ZWoAVmoAi8u6NFoDADkJ6IU1KGSL2LlqGoRnugJaAwDohFoCVv+L8FeLzjPS6DjqNGW5bCHTZ+iGVVb/i9CLRfCIQgRSi866AVoDAOgZ6jRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo7qk0ZY1l9FteX13CBAC5TK/TZ+g66jRli8iLAYtAOP9QBIvIixXEJFAQiwGLQCz/UBSL2LlMr9Nn6BTqNGWJRei5VhiEZ7oDWgMA6OJVVv+L8P917IvOM9LolOk0ZblsIdNn6OrpNGVQi866AVoDAOh96TRlU4vOugJaAwDocOk0ZWoAVmoAi03oujRaAwA5CeiMNChki9i5ahqEZ7oDWgMA6ItVVv+L8FeLzjPS6D/pNGW5bCHTZ+iNVFb/i9CLRfCIQgRSi866AVoDAOgg6TRluSz1zmfoblRW/4vQM8mJSgRSi866AloDAOgC6TRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo16g0ZY1l9FteX13CBFoCAAJaBACwAOt4sAPrdLAG63CwCetssAzraLAP62SwE+tgsBXrXLAY61iwG+tUsB3rULAf60ywIetIsCPrRLAl60CwJ+s8sCrrOLAt6zSwMOswsDPrLLA26yiwOesksDzrILA/6xywQesYsEPrFLBG6xCwSesMsEzrCLBP6wSwUusAD7bAweACBVQ2AwTp8xI0ZVoEALAA63ywA+t4sAbrdLAI63CwC+tssA7raLAR62SwFOtgsBfrXLAa61iwHetUsCDrULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksEPrILBF6xywSOsYsEvrFLBN6xCwUOsMsFPrCLBW6wSwWesAD7bAweACBRQ5AwTpXxI0ZbBc6+ywX+vosGLr5LBl6+CwaOvcsGvr2LBu69SwcevQsHTrzLB368iweuvEsH3rwLCA67ywg+u4sIbrtLCJ61oCsIzrrLCP66iwkuuksJXroLCY65ywm+uYsJ7rlLCh65CwpOuMsKfriLCq64SwreuAsADrJLAD6yCwBuscsAnrGLAM6xSwD+sQsBHrDLAT6wiwFesEsBjrAA+2wMHgAgXUOwME6bcRNGVaBACwAOt8sALreLAF63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwIutMsCTrSLAn60SwKutAsC3rPLAw6ziwM+s0sDbrMLA56yywPOsosD/rJLBC6yCwRescsEjrGLBK6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUMPgME6SMRNGWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0FoEALAA6zCwA+sssAbrKLAJ6ySwDOsgsA/rHLAR6xiwFOsUsBfrELAZ6wywHOsIsB/rBLAi6wAPtsDB4AIF0EMDBOm7EDRlWgMAuEQ+AwSQ6DUJNGXpqAtaAgC4tD4DBJDoJQk0ZenAH1oCALjwNgMEkOgVCTRl6bC/BAEAsADrfLAD63iwBut0sAnrcLAM62ywD+tosBLrZLAV62CwF+tcsBrrWLAc61SwH+tQsCPrTLAm60iwKetEsCzrQLAv6zywMus4sDXrNLA46zCwO+sssD7rKLBB6ySwROs=
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\eM Client\MailClient.exe [13028]
2 C:\Windows\explorer.exe [1156]

Thumbprint
591157568d3be27e764a1b9cc30d9ef87466241ef7f77438b8515bb64f5f7f3f</Data>
</EventData>
</Event>

If you need any further information, just let me know....

 

HitmanPro.Alert 3.7.9 Build 763 Release Candidate

Changelog (compared to build 761)

Added

• New Lolbin to Application Lockdown

Improved

• Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasions technique
• Dynamic Heap Spray Mitigation to allow certain memory block patterns

Download
http://test.hitmanpro.com/hmpalert3b763.exe

We will also auto-update the current 761 beta users.
Please let us know how this version runs on your endpoints!

 

I had a BSOD on next logon.
Accidently posted in HMP.A thread... #15192