Did it get your password or did it simply start a child process under lsass? We allow certain reads to allow e.g. Task manager e.a. to work, just not the regions where the credentials are stored, this tool does not provide an indication that it 'dumped' your credentials does it?
The simulated attacks by stackhackr are bogus. From their site: Ransomware This will simulate the common behavior of deleting shadow volume copies (no files will actually be deleted or encrypted). Credential theft This will simulate the common behavior of harvesting passwords from LSASS process memory (it wont actually steal any credentials). That's why HitmanPro.Alert doesn't step in. It acts when something really attempts to steal credentials or encrypt files. HitmanPro.Alert doesn't act on smoke. Don't use stackhackr to test your endpoint protection. It's useless. Use e.g. the Sophos Tester instead, which actually performs exploit techniques, encrypts files and attempts to read memory from LSASS.
HitmanPro.Alert 3.7.9 Build 761 BETA Changelog (compared to build 759) Added Improved Shellcode mitigation (system-wide) to detect backdoor stage/payload on the heap Improved Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasions technique Improved CryptoGuard to block specific variants of the Dharma ransomware, that include needless action to thwart behavior monitoring Dynamic Heap Spray Mitigation to allow certain memory block patterns Fixed Compatibility issue with ESET Smart Security in combination with Google Chrome Rare BSOD in WipeGuard when it was running out of stack Process Protection user interface menu now correctly disables the features when no valid license is present Automatic update when running HitmanPro.Alert in Anti-Ransomware (CryptoGuard) only Download http://test.hitmanpro.com/hmpalert3b761.exe Please let us know how this version runs on your endpoints!
Installed and running here (config as below). After install reboot did notice this extra alert in Event Viewer, but that app seems unaffected. Code: Mitigation Shellcode Platform 10.0.17134/x64 v761 06_45 PID 9116 Feature 00070330000001A2 Application C:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Open_Hardware_Monitor_sps\OpenHardwareMonitor.exe Description Open Hardware Monitor 0.8 Shellcode (HHA) (0x00001000 bytes) 00007FFD0CA0A698 ffd0 CALL RAX 00007FFD0CA0A69A 41c6470c01 MOV BYTE [R15+0xc], 0x1 00007FFD0CA0A69F 833d4a9af05f00 CMP DWORD [RIP+0x5ff09a4a], 0x0 00007FFD0CA0A6A6 7406 JZ 0x7ffd0ca0a6ae 00007FFD0CA0A6A8 ff157aa5f05f CALL QWORD [RIP+0x5ff0a57a] 00007FFD0CA0A6AE 41c6470c01 MOV BYTE [R15+0xc], 0x1 00007FFD0CA0A6B3 488b5590 MOV RDX, [RBP-0x70] 00007FFD0CA0A6B7 49895710 MOV [R15+0x10], RDX 00007FFD0CA0A6BB 488d65c8 LEA RSP, [RBP-0x38] 00007FFD0CA0A6BF 5b POP RBX 00007FFD0CA0A6C0 5e POP RSI 00007FFD0CA0A6C1 5f POP RDI 00007FFD0CA0A6C2 415c POP R12 00007FFD0CA0A6C4 415d POP R13 00007FFD0CA0A6C6 415e POP R14 00007FFD0CA0A6C8 415f POP R15 ----- SNIP HERE ----- AAIWAQCgoAz9fwAAmKagDP1/AAAAoKAM/X8AAAAQAAAWAAAWWAD4QLEM/X8WAgBBV0FWQVRXVlVTSIPsMOiN6mJdi0ggSIs0JdDW0BOD+QR0CIH5gBYDAHUKSIs8JfDW0BPrCEiLPCXo1tATi0YIA0cISGPASIkFC2gHAIP5BHQMgfmAFgMAD4VIAxYCAEiLDCVo9fsT6GUWAlldSIvYSIsUJXD1+xNIi8tIiwNIi0BI/1AoSIvISIsUJXj1+xM5Ceg7R1ldSIvoSIsUJYD1+xNIi8tIiwNIi0BI/1AoTIvwSIsUJYj1+xNJi85BuBwWAwBJiwZIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIv4SLr4lB5q/X8WAgBJORd0EkmL10i5+JQeav1/FgIA6KKQYl9Fi38ISIsUJZD1+xNJi85BuBwWAwBJiwZIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIvgSLr4lB5q/X8WAgBJORQkdBJJi9RIufiUHmr9fxYCAOhPkGJfRQt8JAhIixQlmPX7E0mLzkG4HBYDAEmLBkiLQHj/UAhIi8gz0kiLAEiLQFj/UBhMi+BIuviUHmr9fxYCAEk5FCR0EkmL1Ei5+JQeav1/FgIA6PuPYl9Bi9dBC1QkCEmLzuj7X1RdTIvwSIsUJaD1+xNIi8tIiwNIi0BI/1AoSIvYSIsUJaj1+xNIi8tBuBwWAwBIiwNIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIv4SLr4lB5q/X8WAgBJORd0EkmL10i5+JQeav1/FgIA6IKPYl9Fi38ISIsUJbD1+xNIi8tBuBwWAwBIiwNIi0B4/1AISIvIM9JIiwBIi0BY/1AYTIvgSLr4lB5q/X8WAgBJORQkdBJJi9RIufiUHmr9fxYCAOgvj2JfQYvXQQtUJAhIi8voL19UXUiL2Ei5AnSsaf1/FgIAugYWAwDomIJcX0yL+Ei52D4dav1/FgIA6DaBXF9Mi8AzyUmJSAhJi88z0uhjnVxfSLnwPh5q/X8WAgDoFIFcX0yLwEiLDYJlBwBJiUgISYvPugEWAwDoOZ1cX0mLz02LxroCFgMA6CmdXF9Ji89Mi8O6AxYDAOgZnVxfSLn4lB5q/X8WAgDoyoBcX0yLwEHHQAgWBP9Ji8+6BBYDAOjynFxfSLn4lB5q/X8WAgDoo4BcX0yLwDPJQYlICEmLz7oFFgMA6M2cXF9MiXwkIDPJSIlMJChIi80z0kUzwEUzyUiLRQBIi0BY/1AgSIvYSLrYPh1q/X8WAgBIORN0EkiL00i52D4dav1/FgIA6AeOYl9Ii1MISIkVrGQHAOshSIsVq2QHADPJQbgAMBYCAEG5QBYDAOhA+BYC/0iJBYlkBwBMiwWCZAcARItOCEiLzjPS6JR1Z19Iix1tZAcASLmIXrAM/X8WAgDozhwWAl9Ii9BIi8vos1VUXUiFwHQRSLqIXrAM/X8WAgBIORB0AjPAucDW0BNIi9DoQJpcX0iLDSlkBwBEi04ITWPJSY00CUSLTwhIi89Mi8Yz0ugtdWdfSLkgYLAM/X8WAgDobhwWAl9Ii9BIi87oU1VUXUiFwHQRSLogYLAM/X8WAgBIORB0AjPAudjW0BNIi9Do4JlcX5BIg8QwW11eX0FcQV5BX8MZDggADlIKMAlQCGAHcAbABOAC8EAWAwAIQrEM/X8WAgBVQVdBVkFVQVRXVlNIg+xoSI2sJKAWAwBMiVXASIvxSIv6QYvYRYvxSI1NiEmL0uh8qFxfTIv4SIvMSIlNqEiLzUiJTbhIjU2ISYlPEEiLTcDoCi94X0xjw01jzkiLTcBIi0kgSIsBSIvOSIvXRTPbTItVwEyJVZhMjRULFgMATIlVsEHGRwwA/9BBxkcMAYM9SprwXwB0Bv8VeqXwX0HGRwwBSItVkEmJVxBIjWXIW15fQVxBXUFeQV9dwxkQCQAQwgwwC2AKcAnAB9AF4APwAVAWAgBAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFgAAFhsA ----- END SNIP ----- Thumbprint 727cac43b9f64e4d584d9e2f6e67f063b2ccb502b400375d42368195615d761e
Thanks, missed that somehow. Everything is running fine so far. Do you have more info on the vulnerability fixed in 759?
Adobe Photoshop CC has crashed a few times. Never happened before this Beta (3.7.9 Build 761). HMPA shows 567 alerts although I never saw any. Using Windows 7 Pro SP1 x64. EDIT- Removed 761 and went back to stable 759 and still had crashes with Photoshop. Removed 759 and no crashes. I wasn't having crashes with 759 before. The only other thing that changed is a new version of Emsisoft Anti-Malware (2018.9.0.8961). Although I have HMPA excluded in Emsisoft settings perhaps some problem between the two. Photoshop has not updated recently. I will run without HMPA to see if any more Photoshop crashes.
That eventlog looks like you have uninstalled Alert, could you install it again and copy past the text from the eventlog please? You can also use build 759, that will also format the event messages again in plain-text.
Nope, you can just install 759 stable, and then copy/past an alert from the time the 761 build alerted that Adobe thingy.
HitmanPro.Alert 3.7.9 Build 761 BETA together with the latest Windows 10 October 2018 Update version 1809. No problems encountered.
Someone pointed it out to me that the problem may be with Emisioft. I download latest EAM beta and will run that for awhile then I will download HMPA 759.
Thanks, trying to narrow down problem with Adobe Photoshop CC crashing with RonnyT. Otherwise I had no problems with either.
Hello @RonnyT, I just got around to trying out the beta today. 3.7.9.761 does indeed seem to fix all of the issues that I had discussed via email with you concerning the conflicts between HMP.A and ESET with several apps on my system. I will let you know if anything else surfaces about this issue but it seems all is now fixed. However, I do have a new issue that surfaced with my email client ( eM Client - https://www.emclient.com/ ). There is an alert every time eM Client is started (Mitigation - Shellcode). It only occurs when I start the app and does not seem to affect its running (ie: I can use the app with seemingly no issues but always get an alert on its startup). The alerts are all basically the same with just some of the details that vary. Since they are not all identical, I have attached a sampling of three of the alerts that I have received: Spoiler: Shellcode Alert 1 Log Name: Application Source: HitmanPro.Alert Date: 10/06/18 15:20:05 Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: Dell-XPS-8920 Description: Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 10256 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 03C0D2A0 ffd2 CALL EDX 03C0D2A2 8b4de0 MOV ECX, [EBP-0x20] 03C0D2A5 8d6104 LEA ESP, [ECX+0x4] 03C0D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 03C0D2AC 833d4020de6900 CMP DWORD [0x69de2040], 0x0 03C0D2B3 7407 JZ 0x3c0d2bc 03C0D2B5 50 PUSH EAX 03C0D2B6 e8c526c865 CALL 0x6988f980 03C0D2BB 58 POP EAX 03C0D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 03C0D2C3 8b75d8 MOV ESI, [EBP-0x28] 03C0D2C6 89770c MOV [EDI+0xc], ESI 03C0D2C9 8d65f4 LEA ESP, [EBP-0xc] 03C0D2CC 5b POP EBX 03C0D2CD 5e POP ESI 03C0D2CE 5f POP EDI ----- SNIP HERE ----- AAMuAQDQwAOg0sADANDAAwAwAABXiw14+IEE6PTXqmSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+IEEi8jB+R+FyXUGiQKLwl/D6Jtl6mXMLgIA0L/DBKS/wwTAv8MEtACzBFWL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6dmnHRbiX8d7li0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGBBAB1BzPJ6K3zLgL/i885Cf8VqPmzBIlF3IX2dQQz0usOi1Yoi87/FQz7swSLVij/dQhS/3Xcx0XECAU9BItF1IllyMdFzPvQwAPGQAgA/xXYCD0Ei2XIg8QMi03UxkEIAYM9QCDeaQB0B1DoaSjIZVjHRcwuBACJRdjHReQuBADHRej8LgMAaEjRwAPrAItN3P8V5PmzBFj/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwcMELgQAiMHDBKD5swRVi+z/FbT5swRdwy4FAPTBwwQuBADswcMErPmzBFWL7Fb/FZQcPQSL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzCwwQuBAAEwsMEhBw9BFWL7FAzwIlF/LmkHD0E6O3ztmWJRfyNRfz/MOgAMbdli8jo+ceqZKM0/4EEi+VdwyTCwwQuBAAcwsMEjBw9BIsNNP+BBOjl1apkM9KJEMMuCAAwwsME/B49BFWL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+nZpx0XQl/He5YtHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNv2UzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotLAA8ZHCAD/0otN4I1hBMZHCAGDPUAg3mkAdAdQ6MUmyGVYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgLgLDBC4EABQuAsMEpPuzBFWL7FAzwIlF/LlMHz0E6M1d8v+JRfyLTfzomuNMZYtF/I0VHJVQEOhsFLZli+Vdw5guAsMETC4CwwSALgLDLgIE+7MEVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDrZli0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DrZliw0clVAQi1YoOAFWagHohtSoZMdF6C4EAMdF7PwuAwBor9PAA+sAi03c6JIStmVY/+DHReguBADHRez8LgMAaObTwAPrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dPAA+sAi03g6FYStmVY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxMMEHMTDBFDEwwQQ+7MEVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DbZli0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANtmWLDRyVUBCLVig5CeiP5bBkx0XoLgQAx0Xs/C4DAGiN1MAD6wCLTdjouxG2ZVj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUwAPrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UwAPrAItN3OhxEbZlWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxMMELgQA4MTDBNz5swRVi+wuAujlpGRdwy4GAMzFwwQuBACgxcMEmD3CA1WL7Fa5ThYsaLoJLgMA6I1c8v+L8P8VlD3CA4vIOAFqILpfLgMA6KXhz2VQi84z0ugr8LZl/zWMJFAQi866AS4DAOgZ8LZliw2QJFAQixWUJFAQ/xWsPcIDi8g4AWogul8uAwDoZ+HPZVCLzroCLgMA6OrvtmX/NZgkUBCLzroDLgMA6NjvtmWLDZAkUBCLFZwkUBD/Faw9wgOLyDgBaiC6Xy4DAOgm4c9lUIvOugQuAwDoqe+2Zf81jCRQEIvOugUuAwDol++2ZYsNoCRQEIsVpCRQEP8VrD3CA4vIOAFqILpfLgMA6OXgz2VQi866Bi4DAOho77Zl/zWMJFAQi866By4DAOhW77Zliw2gJFAQixWoJFAQ/xWsPcIDi8g4AWogul8uAwDopODPZVCLzroILgMA6CfvtmWLzuiw66RkXl3DLgUAJMfDBLzGwwQIx8MEjD3CA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlynWSJReCDfeAAdCGLFbAkUBCLTeDoYnKdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHnXwAPrAIN94AB0CYtN4P8V1AC1A1j/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlPQSJRdyDfdwAdCGLFbAkUBCLTdzo1nGdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHDXwAPrAIN93AB0CYtN3P8V0AC1A1j/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xS2ZYtF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx8MELgQAtMfDBBwlPQRVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN6pkhcB0GQ+2RQxQi86L1zkJ6EQJnWSNZfheX13CCACF9nQMi87/FTAlPQSFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlPQSLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCU9BI1l+F5fXcIILgIAnMjDBC4EAIjIwwQoJT0EVYvsV1aL8blMr3to6E/ttmWL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5nZodQLrDIvQuSTmdmjosay2ZYtABF5fXcNqJIsVvCRQEIvP6BsLqmSLyGoAi9aLAYtAOP8Qi/CBPhRAd2h0DIvWuRRAd2joSJDBZYtGBF5fXcMuCQDQyMME2CY9BFWL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+nZpx0XMl/He5YtHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGv2UzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZwAPGRwgA/9KLTdyNYRTGRwgBgz1AIN5pAHQHUOjQH8hlWMdF4C4EAIt11Il3DI1l9FteX13CDABgycMELgQAEMnDBDQlPQRVi+xXVlOD7AyJVfCL+bmk5nZo6ODrtmWLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGCxougIuAwDolFfy/4vwuRRAd2joqOu2ZVCLzjPS6D7rtmW5bCF7aOiU67ZlUIvOugEuAwDoJ+u2ZWoAVmoAi03sujQuAwA5CehDNqpki9i5ahosaLoCLgMA6EJX8v+L8LkUQHdo6E5W8v+JeARQi84z0ujp6rZluWwhe2joN1by/4vQi0UIiEIEUovOugEuAwDoyuq2ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lOlZIN4BAIPhcQuAwC5TK97aOj+6rZli9i5VhgsaLoCLgMA6M1W8v+L8P917IvOM9Lof+q2ZblsIXto6NXqtmVQi866AS4DAOho6rZlagBWagCLy7o0LgMAOQnohTWqZIvYuWoaLGi6Ai4DAOiEVvL/i/BXi84z0ug46rZluWwhe2johlXy/4vQi0XwiEIEUovOugEuAwDoGeq2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6O6ptmWNZfRbXl9dwgQAuUyve2joOuq2ZYvIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK97aOgU6rZliUXouVYYLGi6Ay4DAOjiVfL/i/D/deyLzjPS6JTptmW5bCF7aOjq6bZlUIvOugEuAwDofem2ZVOLzroCLgMA6HDptmVqAFZqAItN6Lo0LgMAOQnojDSqZIvYuWoaLGi6Ay4DAOiLVfL/i/BXi84z0ug/6bZluWwhe2jojVTy/4vQi0XwiEIEUovOugEuAwDoIOm2Zbks9XZo6G5U8v+L0DPJiUoEUovOugIuAwDoAum2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6NeotmWNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNj0E6fMStmUuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOT0E6V8StmWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1Ds9BOm3EbZlLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD49BOkjEbZlsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDPQTpuxC2ZS4DALhEPj0EkOg1CbZl6agLLgIAuLQ+PQSQ6CUJtmXpwB8uAgC48DY9BJDoFQm2ZemwvwcBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [10256] 2 C:\Windows\explorer.exe [4052] 3 C:\Windows\System32\userinit.exe [3840] Thumbprint f8d5985968c09417b4507e82e2afa9428666917065434014932f6b925a1a143d Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-06T19:20:05.230753100Z" /> <EventRecordID>1489</EventRecordID> <Channel>Application</Channel> <Computer>Dell-XPS-8920</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data> <Data>Shellcode</Data> <Data>Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 10256 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 03C0D2A0 ffd2 CALL EDX 03C0D2A2 8b4de0 MOV ECX, [EBP-0x20] 03C0D2A5 8d6104 LEA ESP, [ECX+0x4] 03C0D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 03C0D2AC 833d4020de6900 CMP DWORD [0x69de2040], 0x0 03C0D2B3 7407 JZ 0x3c0d2bc 03C0D2B5 50 PUSH EAX 03C0D2B6 e8c526c865 CALL 0x6988f980 03C0D2BB 58 POP EAX 03C0D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 03C0D2C3 8b75d8 MOV ESI, [EBP-0x28] 03C0D2C6 89770c MOV [EDI+0xc], ESI 03C0D2C9 8d65f4 LEA ESP, [EBP-0xc] 03C0D2CC 5b POP EBX 03C0D2CD 5e POP ESI 03C0D2CE 5f POP EDI ----- SNIP HERE ----- AAMuAQDQwAOg0sADANDAAwAwAABXiw14+IEE6PTXqmSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+IEEi8jB+R+FyXUGiQKLwl/D6Jtl6mXMLgIA0L/DBKS/wwTAv8MEtACzBFWL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6dmnHRbiX8d7li0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGBBAB1BzPJ6K3zLgL/i885Cf8VqPmzBIlF3IX2dQQz0usOi1Yoi87/FQz7swSLVij/dQhS/3Xcx0XECAU9BItF1IllyMdFzPvQwAPGQAgA/xXYCD0Ei2XIg8QMi03UxkEIAYM9QCDeaQB0B1DoaSjIZVjHRcwuBACJRdjHReQuBADHRej8LgMAaEjRwAPrAItN3P8V5PmzBFj/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwcMELgQAiMHDBKD5swRVi+z/FbT5swRdwy4FAPTBwwQuBADswcMErPmzBFWL7Fb/FZQcPQSL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzCwwQuBAAEwsMEhBw9BFWL7FAzwIlF/LmkHD0E6O3ztmWJRfyNRfz/MOgAMbdli8jo+ceqZKM0/4EEi+VdwyTCwwQuBAAcwsMEjBw9BIsNNP+BBOjl1apkM9KJEMMuCAAwwsME/B49BFWL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+nZpx0XQl/He5YtHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNv2UzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotLAA8ZHCAD/0otN4I1hBMZHCAGDPUAg3mkAdAdQ6MUmyGVYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgLgLDBC4EABQuAsMEpPuzBFWL7FAzwIlF/LlMHz0E6M1d8v+JRfyLTfzomuNMZYtF/I0VHJVQEOhsFLZli+Vdw5guAsMETC4CwwSALgLDLgIE+7MEVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDrZli0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DrZliw0clVAQi1YoOAFWagHohtSoZMdF6C4EAMdF7PwuAwBor9PAA+sAi03c6JIStmVY/+DHReguBADHRez8LgMAaObTwAPrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dPAA+sAi03g6FYStmVY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxMMEHMTDBFDEwwQQ+7MEVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DbZli0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANtmWLDRyVUBCLVig5CeiP5bBkx0XoLgQAx0Xs/C4DAGiN1MAD6wCLTdjouxG2ZVj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUwAPrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UwAPrAItN3OhxEbZlWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxMMELgQA4MTDBNz5swRVi+wuAujlpGRdwy4GAMzFwwQuBACgxcMEmD3CA1WL7Fa5ThYsaLoJLgMA6I1c8v+L8P8VlD3CA4vIOAFqILpfLgMA6KXhz2VQi84z0ugr8LZl/zWMJFAQi866AS4DAOgZ8LZliw2QJFAQixWUJFAQ/xWsPcIDi8g4AWogul8uAwDoZ+HPZVCLzroCLgMA6OrvtmX/NZgkUBCLzroDLgMA6NjvtmWLDZAkUBCLFZwkUBD/Faw9wgOLyDgBaiC6Xy4DAOgm4c9lUIvOugQuAwDoqe+2Zf81jCRQEIvOugUuAwDol++2ZYsNoCRQEIsVpCRQEP8VrD3CA4vIOAFqILpfLgMA6OXgz2VQi866Bi4DAOho77Zl/zWMJFAQi866By4DAOhW77Zliw2gJFAQixWoJFAQ/xWsPcIDi8g4AWogul8uAwDopODPZVCLzroILgMA6CfvtmWLzuiw66RkXl3DLgUAJMfDBLzGwwQIx8MEjD3CA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlynWSJReCDfeAAdCGLFbAkUBCLTeDoYnKdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHnXwAPrAIN94AB0CYtN4P8V1AC1A1j/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlPQSJRdyDfdwAdCGLFbAkUBCLTdzo1nGdZIXAdAyBONjWdmh1AusCM8CJReTHRewuBADHRfD8LgMAaHDXwAPrAIN93AB0CYtN3P8V0AC1A1j/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xS2ZYtF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx8MELgQAtMfDBBwlPQRVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN6pkhcB0GQ+2RQxQi86L1zkJ6EQJnWSNZfheX13CCACF9nQMi87/FTAlPQSFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlPQSLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCU9BI1l+F5fXcIILgIAnMjDBC4EAIjIwwQoJT0EVYvsV1aL8blMr3to6E/ttmWL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5nZodQLrDIvQuSTmdmjosay2ZYtABF5fXcNqJIsVvCRQEIvP6BsLqmSLyGoAi9aLAYtAOP8Qi/CBPhRAd2h0DIvWuRRAd2joSJDBZYtGBF5fXcMuCQDQyMME2CY9BFWL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+nZpx0XMl/He5YtHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGv2UzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZwAPGRwgA/9KLTdyNYRTGRwgBgz1AIN5pAHQHUOjQH8hlWMdF4C4EAIt11Il3DI1l9FteX13CDABgycMELgQAEMnDBDQlPQRVi+xXVlOD7AyJVfCL+bmk5nZo6ODrtmWLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGCxougIuAwDolFfy/4vwuRRAd2joqOu2ZVCLzjPS6D7rtmW5bCF7aOiU67ZlUIvOugEuAwDoJ+u2ZWoAVmoAi03sujQuAwA5CehDNqpki9i5ahosaLoCLgMA6EJX8v+L8LkUQHdo6E5W8v+JeARQi84z0ujp6rZluWwhe2joN1by/4vQi0UIiEIEUovOugEuAwDoyuq2ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lOlZIN4BAIPhcQuAwC5TK97aOj+6rZli9i5VhgsaLoCLgMA6M1W8v+L8P917IvOM9Lof+q2ZblsIXto6NXqtmVQi866AS4DAOho6rZlagBWagCLy7o0LgMAOQnohTWqZIvYuWoaLGi6Ai4DAOiEVvL/i/BXi84z0ug46rZluWwhe2johlXy/4vQi0XwiEIEUovOugEuAwDoGeq2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6O6ptmWNZfRbXl9dwgQAuUyve2joOuq2ZYvIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK97aOgU6rZliUXouVYYLGi6Ay4DAOjiVfL/i/D/deyLzjPS6JTptmW5bCF7aOjq6bZlUIvOugEuAwDofem2ZVOLzroCLgMA6HDptmVqAFZqAItN6Lo0LgMAOQnojDSqZIvYuWoaLGi6Ay4DAOiLVfL/i/BXi84z0ug/6bZluWwhe2jojVTy/4vQi0XwiEIEUovOugEuAwDoIOm2Zbks9XZo6G5U8v+L0DPJiUoEUovOugIuAwDoAum2ZWoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK97aHUC6wyL0LlMr3to6NeotmWNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNj0E6fMStmUuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOT0E6V8StmWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1Ds9BOm3EbZlLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD49BOkjEbZlsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDPQTpuxC2ZS4DALhEPj0EkOg1CbZl6agLLgIAuLQ+PQSQ6CUJtmXpwB8uAgC48DY9BJDoFQm2ZemwvwcBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [10256] 2 C:\Windows\explorer.exe [4052] 3 C:\Windows\System32\userinit.exe [3840] Thumbprint f8d5985968c09417b4507e82e2afa9428666917065434014932f6b925a1a143d</Data> </EventData> </Event> Spoiler: Shellcode Alert 2 Log Name: Application Source: HitmanPro.Alert Date: 10/06/18 15:06:55 Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: Dell-XPS-8920 Description: Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 1696 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 0279D2A0 ffd2 CALL EDX 0279D2A2 8b4de0 MOV ECX, [EBP-0x20] 0279D2A5 8d6104 LEA ESP, [ECX+0x4] 0279D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 0279D2AC 833d4020366900 CMP DWORD [0x69362040], 0x0 0279D2B3 7407 JZ 0x279d2bc 0279D2B5 50 PUSH EAX 0279D2B6 e8c5266766 CALL 0x68e0f980 0279D2BB 58 POP EAX 0279D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 0279D2C3 8b75d8 MOV ESI, [EBP-0x28] 0279D2C6 89770c MOV [EDI+0xc], ESI 0279D2C9 8d65f4 LEA ESP, [EBP-0xc] 0279D2CC 5b POP EBX 0279D2CD 5e POP ESI 0279D2CE 5f POP EDI ----- SNIP HERE ----- AAMuAQDQeQKg0nkCANB5AgAwAABXiw14+KcD6PTXSWWL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+KcDi8jB+R+FyXUGiQKLwl/D6JtliWbMLgIA0L/oA6S/6APAv+gDtADYA1WL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6zmjHRbgWgc42i0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGnAwB1BzPJ6K3zLgL/i885Cf8VqPnYA4lF3IX2dQQz0usOi1Yoi87/FQz72AOLVij/dQhS/3Xcx0XECAVZA4tF1IllyMdFzPvQeQLGQAgA/xXYCFkDi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShnZljHRcwuBACJRdjHReQuBADHRej8LgMAaEjReQLrAItN3P8V5PnYA1j/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwegDLgQAiMHoA6D52ANVi+z/FbT52ANdwy4FAPTB6AMuBADswegDrPnYA1WL7Fb/FZQcWQOL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzC6AMuBAAEwugDhBxZA1WL7FAzwIlF/LmkHFkD6O3zVWaJRfyNRfz/MOgAMVZmi8jo+cdJZaM0/6cDi+VdwyTC6AMuBAAcwugDjBxZA4sNNP+nA+jl1UllM9KJEMMuCAAwwugD/B5ZA1WL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+s5ox0XQFoHONotHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNXmYzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotJ5AsZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmZ2ZYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgw+gDLgQAFMPoA6T72ANVi+xQM8CJRfy5TB9ZA+jNXcX/iUX8i0386Jrj62WLRfyNFRyVUBDobBRVZovlXcOYw+gDTMPoA4DD6AME+9gDVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDlVmi0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DlVmiw0clVAQi1YoOAFWagHohtRHZcdF6C4EAMdF7PwuAwBor9N5AusAi03c6JISVWZY/+DHReguBADHRez8LgMAaObTeQLrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dN5AusAi03g6FYSVWZY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxOgDHMToA1DE6AMQ+9gDVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DVVmi0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANVWaLDRyVUBCLVig5CeiP5U9lx0XoLgQAx0Xs/C4DAGiN1HkC6wCLTdjouxFVZlj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUeQLrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UeQLrAItN3OhxEVVmWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxOgDLgQA4MToA9z52ANVi+wuAujlQ2Vdwy4GAMzF6AMuBACgxegDmD1XA1WL7Fa5ThaEZ7oJLgMA6I1cxf+L8P8VlD1XA4vIOAFqILpfLgMA6KXhbmZQi84z0ugr8FVm/zWMJFAQi866AS4DAOgZ8FVmiw2QJFAQixWUJFAQ/xWsPVcDi8g4AWogul8uAwDoZ+FuZlCLzroCLgMA6OrvVWb/NZgkUBCLzroDLgMA6NjvVWaLDZAkUBCLFZwkUBD/Faw9VwOLyDgBaiC6Xy4DAOgm4W5mUIvOugQuAwDoqe9VZv81jCRQEIvOugUuAwDol+9VZosNoCRQEIsVpCRQEP8VrD1XA4vIOAFqILpfLgMA6OXgbmZQi866Bi4DAOho71Vm/zWMJFAQi866By4DAOhW71Vmiw2gJFAQixWoJFAQ/xWsPVcDi8g4AWogul8uAwDopOBuZlCLzroILgMA6CfvVWaLzuiw60NlXl3DLgUAJMfoA7zG6AMIx+gDjD1XA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlyPGWJReCDfeAAdCGLFbAkUBCLTeDoYnI8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHnXeQLrAIN94AB0CYtN4P8V1ABSAlj/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlWQOJRdyDfdwAdCGLFbAkUBCLTdzo1nE8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHDXeQLrAIN93AB0CYtN3P8V0ABSAlj/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xRVZotF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx+gDLgQAtMfoAxwlWQNVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN0llhcB0GQ+2RQxQi86L1zkJ6EQJPGWNZfheX13CCACF9nQMi87/FTAlWQOFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlWQOLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCVZA41l+F5fXcIILgIAnMjoAy4EAIjI6AMoJVkDVYvsV1aL8blMr9Nn6E/tVWaL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5s5ndQLrDIvQuSTmzmfosaxVZotABF5fXcNqJIsVvCRQEIvP6BsLSWWLyGoAi9aLAYtAOP8Qi/CBPhRAz2d0DIvWuRRAz2foSJBgZotGBF5fXcMuCQDQyOgD2CZZA1WL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+s5ox0XMFoHONotHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGXmYzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZeQLGRwgA/9KLTdyNYRTGRwgBgz1AIDZpAHQHUOjQH2dmWMdF4C4EAIt11Il3DI1l9FteX13CDABgyegDLgQAEMnoAzQlWQNVi+xXVlOD7AyJVfCL+bmk5s5n6ODrVWaLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGIRnugIuAwDolFfF/4vwuRRAz2foqOtVZlCLzjPS6D7rVWa5bCHTZ+iU61VmUIvOugEuAwDoJ+tVZmoAVmoAi03sujQuAwA5CehDNklli9i5ahqEZ7oCLgMA6EJXxf+L8LkUQM9n6E5Wxf+JeARQi84z0ujp6lVmuWwh02foN1bF/4vQi0UIiEIEUovOugEuAwDoyupVZmoAVmoAi8sz0osBi0BM/1AEi/jo6lNEZYN4BAIPhcQuAwC5TK/TZ+j+6lVmi9i5VhiEZ7oCLgMA6M1Wxf+L8P917IvOM9Lof+pVZrlsIdNn6NXqVWZQi866AS4DAOho6lVmagBWagCLy7o0LgMAOQnohTVJZYvYuWoahGe6Ai4DAOiEVsX/i/BXi84z0ug46lVmuWwh02fohlXF/4vQi0XwiEIEUovOugEuAwDoGepVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6O6pVWaNZfRbXl9dwgQAuUyv02foOupVZovIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK/TZ+gU6lVmiUXouVYYhGe6Ay4DAOjiVcX/i/D/deyLzjPS6JTpVWa5bCHTZ+jq6VVmUIvOugEuAwDofelVZlOLzroCLgMA6HDpVWZqAFZqAItN6Lo0LgMAOQnojDRJZYvYuWoahGe6Ay4DAOiLVcX/i/BXi84z0ug/6VVmuWwh02fojVTF/4vQi0XwiEIEUovOugEuAwDoIOlVZrks9c5n6G5Uxf+L0DPJiUoEUovOugIuAwDoAulVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6NeoVWaNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNlkD6fMSVWYuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOVkD6V8SVWawXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1DtZA+m3EVVmLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD5ZA+kjEVVmsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDWQPpuxBVZi4DALhEPlkDkOg1CVVm6agLLgIAuLQ+WQOQ6CUJVWbpwB8uAgC48DZZA5DoFQlVZumwv3MBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [1696] 2 C:\Windows\explorer.exe [1156] Thumbprint bdaaf3be0bcfff8e106f17be328b3a148c03e34d3b10cd03618dd5c2b00fec7e Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-06T19:06:55.947300600Z" /> <EventRecordID>1443</EventRecordID> <Channel>Application</Channel> <Computer>Dell-XPS-8920</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data> <Data>Shellcode</Data> <Data>Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 1696 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 0279D2A0 ffd2 CALL EDX 0279D2A2 8b4de0 MOV ECX, [EBP-0x20] 0279D2A5 8d6104 LEA ESP, [ECX+0x4] 0279D2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 0279D2AC 833d4020366900 CMP DWORD [0x69362040], 0x0 0279D2B3 7407 JZ 0x279d2bc 0279D2B5 50 PUSH EAX 0279D2B6 e8c5266766 CALL 0x68e0f980 0279D2BB 58 POP EAX 0279D2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 0279D2C3 8b75d8 MOV ESI, [EBP-0x28] 0279D2C6 89770c MOV [EDI+0xc], ESI 0279D2C9 8d65f4 LEA ESP, [EBP-0xc] 0279D2CC 5b POP EBX 0279D2CD 5e POP ESI 0279D2CE 5f POP EDI ----- SNIP HERE ----- AAMuAQDQeQKg0nkCANB5AgAwAABXiw14+KcD6PTXSWWL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+KcDi8jB+R+FyXUGiQKLwl/D6JtliWbMLgIA0L/oA6S/6APAv+gDtADYA1WL7FdWU4PsPIvxjX3UuQcuAwAzwPOri85kizUoDi4CAIl11MdFvPD6zmjHRbgWgc42i0YMiUXAiW3Qx0XMLgQAjUW8iUYMi/mL8oA95PGnAwB1BzPJ6K3zLgL/i885Cf8VqPnYA4lF3IX2dQQz0usOi1Yoi87/FQz72AOLVij/dQhS/3Xcx0XECAVZA4tF1IllyMdFzPvQeQLGQAgA/xXYCFkDi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShnZljHRcwuBACJRdjHReQuBADHRej8LgMAaEjReQLrAItN3P8V5PnYA1j/4ItF2OsJx0XoLgQA6/KLddSLfcCJfgyNZfRbXl9dwgQuDQCQwegDLgQAiMHoA6D52ANVi+z/FbT52ANdwy4FAPTB6AMuBADswegDrPnYA1WL7Fb/FZQcWQOL8DPJ6Nn5LgL/iQaLxl5dwy4GAAzC6AMuBAAEwugDhBxZA1WL7FAzwIlF/LmkHFkD6O3zVWaJRfyNRfz/MOgAMVZmi8jo+cdJZaM0/6cDi+VdwyTC6AMuBAAcwugDjBxZA4sNNP+nA+jl1UllM9KJEMMuCAAwwugD/B5ZA1WL7FdWU4PsJIlF7DPSiVXwZIs9KA4uAgDHRdTw+s5ox0XQFoHONotHDIlF2Ilt6MdF5C4EAI1F1IlHDIvxi03s6ArNXmYzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwELgMAiWXgx0XkotJ5AsZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmZ2ZYx0XkLgQAi3XYiXcMjWX0W15fXcMuBwAgw+gDLgQAFMPoA6T72ANVi+xQM8CJRfy5TB9ZA+jNXcX/iUX8i0386Jrj62WLRfyNFRyVUBDobBRVZovlXcOYw+gDTMPoA4DD6AME+9gDVYvsV1aD7ByL8Y193LkGLgMAM8Dzq4vOi/GJdeCLzuhVDlVmi0YkQIlGJIP4AXVCoRyVUBCJRdyLyOg6DlVmiw0clVAQi1YoOAFWagHohtRHZcdF6C4EAMdF7PwuAwBor9N5AusAi03c6JISVWZY/+DHReguBADHRez8LgMAaObTeQLrHMdF7C4EAMdF6C4EAMdF7PwuAwBo3dN5AusAi03g6FYSVWZY/+CNZfheX13Dx0XsLgQA6/DHRewuBADr5wBoxOgDHMToA1DE6AMQ+9gDVYvsV1aD7CCL8Y192LkHLgMAM8Dzq4vOi/GJddyLzuh9DVVmi0YkSIlF4IlGJIXAdWShHJVQEIlF2IvI6GANVWaLDRyVUBCLVig5CeiP5U9lx0XoLgQAx0Xs/C4DAGiN1HkC6wCLTdjouxFVZlj/4MdF4AEuAwDHReguBADHRez8LgMAaMXUeQLrI8dF7C4EAOvbM9KJVeDHReguBADHRez8LgMAaM7UeQLrAItN3OhxEVVmWP/gi0XgjWX4Xl9dw8dF7C4EAOvtx0XsLgQA6+QuCQDoxOgDLgQA4MToA9z52ANVi+wuAujlQ2Vdwy4GAMzF6AMuBACgxegDmD1XA1WL7Fa5ThaEZ7oJLgMA6I1cxf+L8P8VlD1XA4vIOAFqILpfLgMA6KXhbmZQi84z0ugr8FVm/zWMJFAQi866AS4DAOgZ8FVmiw2QJFAQixWUJFAQ/xWsPVcDi8g4AWogul8uAwDoZ+FuZlCLzroCLgMA6OrvVWb/NZgkUBCLzroDLgMA6NjvVWaLDZAkUBCLFZwkUBD/Faw9VwOLyDgBaiC6Xy4DAOgm4W5mUIvOugQuAwDoqe9VZv81jCRQEIvOugUuAwDol+9VZosNoCRQEIsVpCRQEP8VrD1XA4vIOAFqILpfLgMA6OXgbmZQi866Bi4DAOho71Vm/zWMJFAQi866By4DAOhW71Vmiw2gJFAQixWoJFAQ/xWsPVcDi8g4AWogul8uAwDopOBuZlCLzroILgMA6CfvVWaLzuiw60NlXl3DLgUAJMfoA7zG6AMIx+gDjD1XA1WL7FeD7CCNfdy5By4DADPA86sz0olV5IsNNBBQEIsVrCRQEDkJ6GlyPGWJReCDfeAAdCGLFbAkUBCLTeDoYnI8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHnXeQLrAIN94AB0CYtN4P8V1ABSAlj/4IN95AB0D4tF5IN4BAAPlMAPtsDrBbgBLgMAhcAPLgKELgMAagBoAAEuAgCLDTQQUBCLFawkUBD/FSQlWQOJRdyDfdwAdCGLFbAkUBCLTdzo1nE8ZYXAdAyBONjWzmd1AusCM8CJReTHRewuBADHRfD8LgMAaHDXeQLrAIN93AB0CYtN3P8V0ABSAlj/4MdF8C4EAOsRx0XwLgQA6V8uA//o5xRVZotF5IXAdQaLBQAjUBCNZfxfXcMuAwDIx+gDLgQAtMfoAxwlWQNVi+xXVoPsCDPAiUXwi/GL+osNtCRQEOjEN0llhcB0GQ+2RQxQi86L1zkJ6EQJPGWNZfheX13CCACF9nQMi87/FTAlWQOFwHULM8CNZfheX13CCADHRfQZAAIAD7ZFDIXAdAfHRfQGAAIAi87/FTAlWQOLyGoAi0X0C0UIUI1F8FCL1+jU8y4C/4XAdAszwI1l+F5fXcIIAItN8GoAD7ZVDP8VPCVZA41l+F5fXcIILgIAnMjoAy4EAIjI6AMoJVkDVYvsV1aL8blMr9Nn6E/tVWaL+GokixW4JFAQi8+LAYtARP9QBIXAdC2LyIvWiwGLQDT/UAyFwHQWgTgk5s5ndQLrDIvQuSTmzmfosaxVZotABF5fXcNqJIsVvCRQEIvP6BsLSWWLyGoAi9aLAYtAOP8Qi/CBPhRAz2d0DIvWuRRAz2foSJBgZotGBF5fXcMuCQDQyOgD2CZZA1WL7FdWU4PsKIlF6DPbiV3wiV3sZIs9KA4uAgDHRdDw+s5ox0XMFoHONotHDIlF1Ilt5MdF4C4EAI1F0IlHDIvZi/KLTS4C6CXGXmYzyYX2dAaJdfCNTgiLRQiJReyLReiLQBSLEP91CP91DP91EFFTx0XYFC4DAIll3MdF4JfZeQLGRwgA/9KLTdyNYRTGRwgBgz1AIDZpAHQHUOjQH2dmWMdF4C4EAIt11Il3DI1l9FteX13CDABgyegDLgQAEMnoAzQlWQNVi+xXVlOD7AyJVfCL+bmk5s5n6ODrVWaLyIsBi0A4/1AEi8iLFcAkUBCLAYtALP9QFIlF7LlWGIRnugIuAwDolFfF/4vwuRRAz2foqOtVZlCLzjPS6D7rVWa5bCHTZ+iU61VmUIvOugEuAwDoJ+tVZmoAVmoAi03sujQuAwA5CehDNklli9i5ahqEZ7oCLgMA6EJXxf+L8LkUQM9n6E5Wxf+JeARQi84z0ujp6lVmuWwh02foN1bF/4vQi0UIiEIEUovOugEuAwDoyupVZmoAVmoAi8sz0osBi0BM/1AEi/jo6lNEZYN4BAIPhcQuAwC5TK/TZ+j+6lVmi9i5VhiEZ7oCLgMA6M1Wxf+L8P917IvOM9Lof+pVZrlsIdNn6NXqVWZQi866AS4DAOho6lVmagBWagCLy7o0LgMAOQnohTVJZYvYuWoahGe6Ai4DAOiEVsX/i/BXi84z0ug46lVmuWwh02fohlXF/4vQi0XwiEIEUovOugEuAwDoGepVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6O6pVWaNZfRbXl9dwgQAuUyv02foOupVZovIiwGLQDj/UASLyIsVxCRQEIsBi0As/1AUi9i5TK/TZ+gU6lVmiUXouVYYhGe6Ay4DAOjiVcX/i/D/deyLzjPS6JTpVWa5bCHTZ+jq6VVmUIvOugEuAwDofelVZlOLzroCLgMA6HDpVWZqAFZqAItN6Lo0LgMAOQnojDRJZYvYuWoahGe6Ay4DAOiLVcX/i/BXi84z0ug/6VVmuWwh02fojVTF/4vQi0XwiEIEUovOugEuAwDoIOlVZrks9c5n6G5Uxf+L0DPJiUoEUovOugIuAwDoAulVZmoAVmoAi8sz0osBi0BM/1AEhcB0FoE4TK/TZ3UC6wyL0LlMr9Nn6NeoVWaNZfRbXl9dwgQuAgACLgQAsADreLAD63SwButwsAnrbLAM62iwD+tksBPrYLAV61ywGOtYsBvrVLAd61CwH+tMsCHrSLAj60SwJetAsCfrPLAq6ziwLes0sDDrMLAz6yywNusosDnrJLA86yCwP+scsEHrGLBD6xSwRusQsEnrDLBM6wiwT+sEsFLrAA+2wMHgAgVUNlkD6fMSVWYuBACwAOt8sAPreLAG63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwI+tMsCbrSLAp60SwLOtAsC/rPLAy6ziwNes0sDjrMLA76yywPusosEHrJLBD6yCwRescsEjrGLBL6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUUOVkD6V8SVWawXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0LB068ywd+vIsHrrxLB968CwgOu8sIPruLCG67SwiesuArCM66ywj+uosJLrpLCV66CwmOucsJvrmLCe65SwoeuQsKTrjLCn64iwquuEsK3rgLAA6ySwA+sgsAbrHLAJ6xiwDOsUsA/rELAR6wywE+sIsBXrBLAY6wAPtsDB4AIF1DtZA+m3EVVmLgQAsADrfLAC63iwBet0sAjrcLAL62ywDutosBHrZLAU62CwF+tcsBrrWLAd61SwIOtQsCLrTLAk60iwJ+tEsCrrQLAt6zywMOs4sDPrNLA26zCwOesssDzrKLA/6ySwQusgsEXrHLBI6xiwSusUsE3rELBQ6wywU+sIsFbrBLBZ6wAPtsDB4AIFDD5ZA+kjEVVmsFzr7LBf6+iwYuvksGXr4LBo69ywa+vYsG7r1LBx69AuBACwAOswsAPrLLAG6yiwCesksAzrILAP6xywEesYsBTrFLAX6xCwGesMsBzrCLAf6wSwIusAD7bAweACBdBDWQPpuxBVZi4DALhEPlkDkOg1CVVm6agLLgIAuLQ+WQOQ6CUJVWbpwB8uAgC48DZZA5DoFQlVZumwv3MBALAA63ywA+t4sAbrdLAJ63CwDOtssA/raLAS62SwFetgsBfrXLAa61iwHOtUsB/rULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksETr ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [1696] 2 C:\Windows\explorer.exe [1156] Thumbprint bdaaf3be0bcfff8e106f17be328b3a148c03e34d3b10cd03618dd5c2b00fec7e</Data> </EventData> </Event> Spoiler: Shellcode Alert 3 Log Name: Application Source: HitmanPro.Alert Date: 10/06/18 15:02:26 Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: Dell-XPS-8920 Description: Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 13028 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 039AD2A0 ffd2 CALL EDX 039AD2A2 8b4de0 MOV ECX, [EBP-0x20] 039AD2A5 8d6104 LEA ESP, [ECX+0x4] 039AD2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 039AD2AC 833d4020366900 CMP DWORD [0x69362040], 0x0 039AD2B3 7407 JZ 0x39ad2bc 039AD2B5 50 PUSH EAX 039AD2B6 e8c5264665 CALL 0x68e0f980 039AD2BB 58 POP EAX 039AD2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 039AD2C3 8b75d8 MOV ESI, [EBP-0x28] 039AD2C6 89770c MOV [EDI+0xc], ESI 039AD2C9 8d65f4 LEA ESP, [EBP-0xc] 039AD2CC 5b POP EBX 039AD2CD 5e POP ESI 039AD2CE 5f POP EDI ----- SNIP HERE ----- AANaAQDQmgOg0poDANCaAwAwAABXiw14+EgE6PTXKGSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+EgEi8jB+R+FyXUGiQKLwl/D6JtlaGXMWgIA0L+aBKS/mgTAv5oEtACKBFWL7FdWU4PsPIvxjX3UuQdaAwAzwPOri85kizUoDloCAIl11MdFvPD6zmjHRbhKf3pri0YMiUXAiW3Qx0XMWgQAjUW8iUYMi/mL8oA95PFIBAB1BzPJ6K3zWgL/i885Cf8VqPmKBIlF3IX2dQQz0usOi1Yoi87/FQz7igSLVij/dQhS/3Xcx0XECAUDBItF1IllyMdFzPvQmgPGQAgA/xXYCAMEi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShGZVjHRcxaBACJRdjHReRaBADHRej8WgMAaEjRmgPrAItN3P8V5PmKBFj/4ItF2OsJx0XoWgQA6/KLddSLfcCJfgyNZfRbXl9dwgRaDQCQwZoEWgQAiMGaBKD5igRVi+z/FbT5igRdw1oFAPTBmgRaBADswZoErPmKBFWL7Fb/FZQcAwSL8DPJ6Nn5WgL/iQaLxl5dw1oGAAzCmgRaBAAEwpoEhBwDBFWL7FAzwIlF/LmkHAME6O3zNGWJRfyNRfz/MOgAMTVli8jo+ccoZKM0/0gEi+VdwyTCmgRaBAAcwpoEjBwDBIsNNP9IBOjl1ShkM9KJEMNaCAAwwpoE/B4DBFWL7FdWU4PsJIlF7DPSiVXwZIs9KA5aAgDHRdTw+s5ox0XQSn96a4tHDIlF2Ilt6MdF5FoEAI1F1IlHDIvxi03s6ArNPWUzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwEWgMAiWXgx0XkotKaA8ZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmRmVYx0XkWgQAi3XYiXcMjWX0W15fXcNaBwAgw5oEWgQAFMOaBKT7igRVi+xQM8CJRfy5TB8DBOjNXVb/iUX8i0386JrjymSLRfyNFRyVUBDobBQ0ZYvlXcOYw5oETMOaBIDDmloCBPuKBFWL7FdWg+wci/GNfdy5BloDADPA86uLzovxiXXgi87oVQ40ZYtGJECJRiSD+AF1QqEclVAQiUXci8joOg40ZYsNHJVQEItWKDgBVmoB6IbUJmTHRehaBADHRez8WgMAaK/TmgPrAItN3OiSEjRlWP/gx0XoWgQAx0Xs/FoDAGjm05oD6xzHRexaBADHRehaBADHRez8WgMAaN3TmgPrAItN4OhWEjRlWP/gjWX4Xl9dw8dF7FoEAOvwx0XsWgQA6+cAaMSaBBzEmgRQxJoEEPuKBFWL7FdWg+wgi/GNfdi5B1oDADPA86uLzovxiXXci87ofQ00ZYtGJEiJReCJRiSFwHVkoRyVUBCJRdiLyOhgDTRliw0clVAQi1YoOQnoj+UuZMdF6FoEAMdF7PxaAwBojdSaA+sAi03Y6LsRNGVY/+DHReABWgMAx0XoWgQAx0Xs/FoDAGjF1JoD6yPHRexaBADr2zPSiVXgx0XoWgQAx0Xs/FoDAGjO1JoD6wCLTdzocRE0ZVj/4ItF4I1l+F5fXcPHRexaBADr7cdF7FoEAOvkWgkA6MSaBFoEAODEmgTc+YoEVYvsWgLo5SJkXcNaBgDMxZoEWgQAoMWaBJg9AQRVi+xWuU4WhGe6CVoDAOiNXFb/i/D/FZQ9AQSLyDgBaiC6X1oDAOil4U1lUIvOM9LoK/A0Zf81jCRQEIvOugFaAwDoGfA0ZYsNkCRQEIsVlCRQEP8VrD0BBIvIOAFqILpfWgMA6GfhTWVQi866AloDAOjq7zRl/zWYJFAQi866A1oDAOjY7zRliw2QJFAQixWcJFAQ/xWsPQEEi8g4AWogul9aAwDoJuFNZVCLzroEWgMA6KnvNGX/NYwkUBCLzroFWgMA6JfvNGWLDaAkUBCLFaQkUBD/Faw9AQSLyDgBaiC6X1oDAOjl4E1lUIvOugZaAwDoaO80Zf81jCRQEIvOugdaAwDoVu80ZYsNoCRQEIsVqCRQEP8VrD0BBIvIOAFqILpfWgMA6KTgTWVQi866CFoDAOgn7zRli87osOsiZF5dw1oFACTHmgS8xpoECMeaBIw9AQRVi+xXg+wgjX3cuQdaAwAzwPOrM9KJVeSLDTQQUBCLFawkUBA5CehpchtkiUXgg33gAHQhixWwJFAQi03g6GJyG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGh515oD6wCDfeAAdAmLTeD/FdQAfANY/+CDfeQAdA+LReSDeAQAD5TAD7bA6wW4AVoDAIXAD1oChFoDAGoAaAABWgIAiw00EFAQixWsJFAQ/xUkJQMEiUXcg33cAHQhixWwJFAQi03c6NZxG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGhw15oD6wCDfdwAdAmLTdz/FdAAfANY/+DHRfBaBADrEcdF8FoEAOlfWgP/6OcUNGWLReSFwHUGiwUAI1AQjWX8X13DWgMAyMeaBFoEALTHmgQcJQMEVYvsV1aD7AgzwIlF8Ivxi/qLDbQkUBDoxDcoZIXAdBkPtkUMUIvOi9c5CehECRtkjWX4Xl9dwggAhfZ0DIvO/xUwJQMEhcB1CzPAjWX4Xl9dwggAx0X0GQACAA+2RQyFwHQHx0X0BgACAIvO/xUwJQMEi8hqAItF9AtFCFCNRfBQi9fo1PNaAv+FwHQLM8CNZfheX13CCACLTfBqAA+2VQz/FTwlAwSNZfheX13CCFoCAJzImgRaBACIyJoEKCUDBFWL7FdWi/G5TK/TZ+hP7TRli/hqJIsVuCRQEIvPiwGLQET/UASFwHQti8iL1osBi0A0/1AMhcB0FoE4JObOZ3UC6wyL0Lkk5s5n6LGsNGWLQAReX13DaiSLFbwkUBCLz+gbCyhki8hqAIvWiwGLQDj/EIvwgT4UQM9ndAyL1rkUQM9n6EiQP2WLRgReX13DWgkA0MiaBNgmAwRVi+xXVlOD7CiJRegz24ld8Ild7GSLPSgOWgIAx0XQ8PrOaMdFzEp/emuLRwyJRdSJbeTHReBaBACNRdCJRwyL2Yvyi01aAuglxj1lM8mF9nQGiXXwjU4Ii0UIiUXsi0Xoi0AUixD/dQj/dQz/dRBRU8dF2BRaAwCJZdzHReCX2ZoDxkcIAP/Si03cjWEUxkcIAYM9QCA2aQB0B1Do0B9GZVjHReBaBACLddSJdwyNZfRbXl9dwgwAYMmaBFoEABDJmgQ0JQMEVYvsV1ZTg+wMiVXwi/m5pObOZ+jg6zRli8iLAYtAOP9QBIvIixXAJFAQiwGLQCz/UBSJRey5VhiEZ7oCWgMA6JRXVv+L8LkUQM9n6KjrNGVQi84z0ug+6zRluWwh02folOs0ZVCLzroBWgMA6CfrNGVqAFZqAItN7Lo0WgMAOQnoQzYoZIvYuWoahGe6AloDAOhCV1b/i/C5FEDPZ+hOWgJW/4l4BFCLzjPS6OnqNGW5bCHTZ+g3WgJW/4vQi0UIiEIEUovOugFaAwDoyuo0ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lMjZIN4BAIPhcRaAwC5TK/TZ+j+6jRli9i5VhiEZ7oCWgMA6M1aAlb/i/D/deyLzjPS6H/qNGW5bCHTZ+jV6jRlUIvOugFaAwDoaOo0ZWoAVmoAi8u6NFoDADkJ6IU1KGSL2LlqGoRnugJaAwDohFoCVv+L8FeLzjPS6DjqNGW5bCHTZ+iGVVb/i9CLRfCIQgRSi866AVoDAOgZ6jRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo7qk0ZY1l9FteX13CBAC5TK/TZ+g66jRli8iLAYtAOP9QBIvIixXEJFAQiwGLQCz/UBSL2LlMr9Nn6BTqNGWJRei5VhiEZ7oDWgMA6OJVVv+L8P917IvOM9LolOk0ZblsIdNn6OrpNGVQi866AVoDAOh96TRlU4vOugJaAwDocOk0ZWoAVmoAi03oujRaAwA5CeiMNChki9i5ahqEZ7oDWgMA6ItVVv+L8FeLzjPS6D/pNGW5bCHTZ+iNVFb/i9CLRfCIQgRSi866AVoDAOgg6TRluSz1zmfoblRW/4vQM8mJSgRSi866AloDAOgC6TRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo16g0ZY1l9FteX13CBFoCAAJaBACwAOt4sAPrdLAG63CwCetssAzraLAP62SwE+tgsBXrXLAY61iwG+tUsB3rULAf60ywIetIsCPrRLAl60CwJ+s8sCrrOLAt6zSwMOswsDPrLLA26yiwOesksDzrILA/6xywQesYsEPrFLBG6xCwSesMsEzrCLBP6wSwUusAD7bAweACBVQ2AwTp8xI0ZVoEALAA63ywA+t4sAbrdLAI63CwC+tssA7raLAR62SwFOtgsBfrXLAa61iwHetUsCDrULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksEPrILBF6xywSOsYsEvrFLBN6xCwUOsMsFPrCLBW6wSwWesAD7bAweACBRQ5AwTpXxI0ZbBc6+ywX+vosGLr5LBl6+CwaOvcsGvr2LBu69SwcevQsHTrzLB368iweuvEsH3rwLCA67ywg+u4sIbrtLCJ61oCsIzrrLCP66iwkuuksJXroLCY65ywm+uYsJ7rlLCh65CwpOuMsKfriLCq64SwreuAsADrJLAD6yCwBuscsAnrGLAM6xSwD+sQsBHrDLAT6wiwFesEsBjrAA+2wMHgAgXUOwME6bcRNGVaBACwAOt8sALreLAF63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwIutMsCTrSLAn60SwKutAsC3rPLAw6ziwM+s0sDbrMLA56yywPOsosD/rJLBC6yCwRescsEjrGLBK6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUMPgME6SMRNGWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0FoEALAA6zCwA+sssAbrKLAJ6ySwDOsgsA/rHLAR6xiwFOsUsBfrELAZ6wywHOsIsB/rBLAi6wAPtsDB4AIF0EMDBOm7EDRlWgMAuEQ+AwSQ6DUJNGXpqAtaAgC4tD4DBJDoJQk0ZenAH1oCALjwNgMEkOgVCTRl6bC/BAEAsADrfLAD63iwBut0sAnrcLAM62ywD+tosBLrZLAV62CwF+tcsBrrWLAc61SwH+tQsCPrTLAm60iwKetEsCzrQLAv6zywMus4sDXrNLA46zCwO+sssD7rKLBB6ySwROs= ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [13028] 2 C:\Windows\explorer.exe [1156] Thumbprint 591157568d3be27e764a1b9cc30d9ef87466241ef7f77438b8515bb64f5f7f3f Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-06T19:02:26.537549300Z" /> <EventRecordID>1442</EventRecordID> <Channel>Application</Channel> <Computer>Dell-XPS-8920</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\eM Client\MailClient.exe</Data> <Data>Shellcode</Data> <Data>Mitigation Shellcode Platform 10.0.17763/x64 v761 06_9e PID 13028 Feature 00071A341FBF91B6 Application C:\Program Files (x86)\eM Client\MailClient.exe Description eM Client 7.1 Shellcode (HHP) (0x0008A000 bytes) 039AD2A0 ffd2 CALL EDX 039AD2A2 8b4de0 MOV ECX, [EBP-0x20] 039AD2A5 8d6104 LEA ESP, [ECX+0x4] 039AD2A8 c6470801 MOV BYTE [EDI+0x8], 0x1 039AD2AC 833d4020366900 CMP DWORD [0x69362040], 0x0 039AD2B3 7407 JZ 0x39ad2bc 039AD2B5 50 PUSH EAX 039AD2B6 e8c5264665 CALL 0x68e0f980 039AD2BB 58 POP EAX 039AD2BC c745e400000000 MOV DWORD [EBP-0x1c], 0x0 039AD2C3 8b75d8 MOV ESI, [EBP-0x28] 039AD2C6 89770c MOV [EDI+0xc], ESI 039AD2C9 8d65f4 LEA ESP, [EBP-0xc] 039AD2CC 5b POP EBX 039AD2CD 5e POP ESI 039AD2CE 5f POP EDI ----- SNIP HERE ----- AANaAQDQmgOg0poDANCaAwAwAABXiw14+EgE6PTXKGSL0Iv6M8APV8BmD9YHZg/WRwhmD9ZHEGYP1kcYg8cgq6F4+EgEi8jB+R+FyXUGiQKLwl/D6JtlaGXMWgIA0L+aBKS/mgTAv5oEtACKBFWL7FdWU4PsPIvxjX3UuQdaAwAzwPOri85kizUoDloCAIl11MdFvPD6zmjHRbhKf3pri0YMiUXAiW3Qx0XMWgQAjUW8iUYMi/mL8oA95PFIBAB1BzPJ6K3zWgL/i885Cf8VqPmKBIlF3IX2dQQz0usOi1Yoi87/FQz7igSLVij/dQhS/3Xcx0XECAUDBItF1IllyMdFzPvQmgPGQAgA/xXYCAMEi2XIg8QMi03UxkEIAYM9QCA2aQB0B1DoaShGZVjHRcxaBACJRdjHReRaBADHRej8WgMAaEjRmgPrAItN3P8V5PmKBFj/4ItF2OsJx0XoWgQA6/KLddSLfcCJfgyNZfRbXl9dwgRaDQCQwZoEWgQAiMGaBKD5igRVi+z/FbT5igRdw1oFAPTBmgRaBADswZoErPmKBFWL7Fb/FZQcAwSL8DPJ6Nn5WgL/iQaLxl5dw1oGAAzCmgRaBAAEwpoEhBwDBFWL7FAzwIlF/LmkHAME6O3zNGWJRfyNRfz/MOgAMTVli8jo+ccoZKM0/0gEi+VdwyTCmgRaBAAcwpoEjBwDBIsNNP9IBOjl1ShkM9KJEMNaCAAwwpoE/B4DBFWL7FdWU4PsJIlF7DPSiVXwZIs9KA5aAgDHRdTw+s5ox0XQSn96a4tHDIlF2Ilt6MdF5FoEAI1F1IlHDIvxi03s6ArNPWUzyYX2dAaJdfCNTgiLReyLQBSLEFHHRdwEWgMAiWXgx0XkotKaA8ZHCAD/0otN4I1hBMZHCAGDPUAgNmkAdAdQ6MUmRmVYx0XkWgQAi3XYiXcMjWX0W15fXcNaBwAgw5oEWgQAFMOaBKT7igRVi+xQM8CJRfy5TB8DBOjNXVb/iUX8i0386JrjymSLRfyNFRyVUBDobBQ0ZYvlXcOYw5oETMOaBIDDmloCBPuKBFWL7FdWg+wci/GNfdy5BloDADPA86uLzovxiXXgi87oVQ40ZYtGJECJRiSD+AF1QqEclVAQiUXci8joOg40ZYsNHJVQEItWKDgBVmoB6IbUJmTHRehaBADHRez8WgMAaK/TmgPrAItN3OiSEjRlWP/gx0XoWgQAx0Xs/FoDAGjm05oD6xzHRexaBADHRehaBADHRez8WgMAaN3TmgPrAItN4OhWEjRlWP/gjWX4Xl9dw8dF7FoEAOvwx0XsWgQA6+cAaMSaBBzEmgRQxJoEEPuKBFWL7FdWg+wgi/GNfdi5B1oDADPA86uLzovxiXXci87ofQ00ZYtGJEiJReCJRiSFwHVkoRyVUBCJRdiLyOhgDTRliw0clVAQi1YoOQnoj+UuZMdF6FoEAMdF7PxaAwBojdSaA+sAi03Y6LsRNGVY/+DHReABWgMAx0XoWgQAx0Xs/FoDAGjF1JoD6yPHRexaBADr2zPSiVXgx0XoWgQAx0Xs/FoDAGjO1JoD6wCLTdzocRE0ZVj/4ItF4I1l+F5fXcPHRexaBADr7cdF7FoEAOvkWgkA6MSaBFoEAODEmgTc+YoEVYvsWgLo5SJkXcNaBgDMxZoEWgQAoMWaBJg9AQRVi+xWuU4WhGe6CVoDAOiNXFb/i/D/FZQ9AQSLyDgBaiC6X1oDAOil4U1lUIvOM9LoK/A0Zf81jCRQEIvOugFaAwDoGfA0ZYsNkCRQEIsVlCRQEP8VrD0BBIvIOAFqILpfWgMA6GfhTWVQi866AloDAOjq7zRl/zWYJFAQi866A1oDAOjY7zRliw2QJFAQixWcJFAQ/xWsPQEEi8g4AWogul9aAwDoJuFNZVCLzroEWgMA6KnvNGX/NYwkUBCLzroFWgMA6JfvNGWLDaAkUBCLFaQkUBD/Faw9AQSLyDgBaiC6X1oDAOjl4E1lUIvOugZaAwDoaO80Zf81jCRQEIvOugdaAwDoVu80ZYsNoCRQEIsVqCRQEP8VrD0BBIvIOAFqILpfWgMA6KTgTWVQi866CFoDAOgn7zRli87osOsiZF5dw1oFACTHmgS8xpoECMeaBIw9AQRVi+xXg+wgjX3cuQdaAwAzwPOrM9KJVeSLDTQQUBCLFawkUBA5CehpchtkiUXgg33gAHQhixWwJFAQi03g6GJyG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGh515oD6wCDfeAAdAmLTeD/FdQAfANY/+CDfeQAdA+LReSDeAQAD5TAD7bA6wW4AVoDAIXAD1oChFoDAGoAaAABWgIAiw00EFAQixWsJFAQ/xUkJQMEiUXcg33cAHQhixWwJFAQi03c6NZxG2SFwHQMgTjY1s5ndQLrAjPAiUXkx0XsWgQAx0Xw/FoDAGhw15oD6wCDfdwAdAmLTdz/FdAAfANY/+DHRfBaBADrEcdF8FoEAOlfWgP/6OcUNGWLReSFwHUGiwUAI1AQjWX8X13DWgMAyMeaBFoEALTHmgQcJQMEVYvsV1aD7AgzwIlF8Ivxi/qLDbQkUBDoxDcoZIXAdBkPtkUMUIvOi9c5CehECRtkjWX4Xl9dwggAhfZ0DIvO/xUwJQMEhcB1CzPAjWX4Xl9dwggAx0X0GQACAA+2RQyFwHQHx0X0BgACAIvO/xUwJQMEi8hqAItF9AtFCFCNRfBQi9fo1PNaAv+FwHQLM8CNZfheX13CCACLTfBqAA+2VQz/FTwlAwSNZfheX13CCFoCAJzImgRaBACIyJoEKCUDBFWL7FdWi/G5TK/TZ+hP7TRli/hqJIsVuCRQEIvPiwGLQET/UASFwHQti8iL1osBi0A0/1AMhcB0FoE4JObOZ3UC6wyL0Lkk5s5n6LGsNGWLQAReX13DaiSLFbwkUBCLz+gbCyhki8hqAIvWiwGLQDj/EIvwgT4UQM9ndAyL1rkUQM9n6EiQP2WLRgReX13DWgkA0MiaBNgmAwRVi+xXVlOD7CiJRegz24ld8Ild7GSLPSgOWgIAx0XQ8PrOaMdFzEp/emuLRwyJRdSJbeTHReBaBACNRdCJRwyL2Yvyi01aAuglxj1lM8mF9nQGiXXwjU4Ii0UIiUXsi0Xoi0AUixD/dQj/dQz/dRBRU8dF2BRaAwCJZdzHReCX2ZoDxkcIAP/Si03cjWEUxkcIAYM9QCA2aQB0B1Do0B9GZVjHReBaBACLddSJdwyNZfRbXl9dwgwAYMmaBFoEABDJmgQ0JQMEVYvsV1ZTg+wMiVXwi/m5pObOZ+jg6zRli8iLAYtAOP9QBIvIixXAJFAQiwGLQCz/UBSJRey5VhiEZ7oCWgMA6JRXVv+L8LkUQM9n6KjrNGVQi84z0ug+6zRluWwh02folOs0ZVCLzroBWgMA6CfrNGVqAFZqAItN7Lo0WgMAOQnoQzYoZIvYuWoahGe6AloDAOhCV1b/i/C5FEDPZ+hOWgJW/4l4BFCLzjPS6OnqNGW5bCHTZ+g3WgJW/4vQi0UIiEIEUovOugFaAwDoyuo0ZWoAVmoAi8sz0osBi0BM/1AEi/jo6lMjZIN4BAIPhcRaAwC5TK/TZ+j+6jRli9i5VhiEZ7oCWgMA6M1aAlb/i/D/deyLzjPS6H/qNGW5bCHTZ+jV6jRlUIvOugFaAwDoaOo0ZWoAVmoAi8u6NFoDADkJ6IU1KGSL2LlqGoRnugJaAwDohFoCVv+L8FeLzjPS6DjqNGW5bCHTZ+iGVVb/i9CLRfCIQgRSi866AVoDAOgZ6jRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo7qk0ZY1l9FteX13CBAC5TK/TZ+g66jRli8iLAYtAOP9QBIvIixXEJFAQiwGLQCz/UBSL2LlMr9Nn6BTqNGWJRei5VhiEZ7oDWgMA6OJVVv+L8P917IvOM9LolOk0ZblsIdNn6OrpNGVQi866AVoDAOh96TRlU4vOugJaAwDocOk0ZWoAVmoAi03oujRaAwA5CeiMNChki9i5ahqEZ7oDWgMA6ItVVv+L8FeLzjPS6D/pNGW5bCHTZ+iNVFb/i9CLRfCIQgRSi866AVoDAOgg6TRluSz1zmfoblRW/4vQM8mJSgRSi866AloDAOgC6TRlagBWagCLyzPSiwGLQEz/UASFwHQWgThMr9NndQLrDIvQuUyv02fo16g0ZY1l9FteX13CBFoCAAJaBACwAOt4sAPrdLAG63CwCetssAzraLAP62SwE+tgsBXrXLAY61iwG+tUsB3rULAf60ywIetIsCPrRLAl60CwJ+s8sCrrOLAt6zSwMOswsDPrLLA26yiwOesksDzrILA/6xywQesYsEPrFLBG6xCwSesMsEzrCLBP6wSwUusAD7bAweACBVQ2AwTp8xI0ZVoEALAA63ywA+t4sAbrdLAI63CwC+tssA7raLAR62SwFOtgsBfrXLAa61iwHetUsCDrULAj60ywJutIsCnrRLAs60CwL+s8sDLrOLA16zSwOOswsDvrLLA+6yiwQesksEPrILBF6xywSOsYsEvrFLBN6xCwUOsMsFPrCLBW6wSwWesAD7bAweACBRQ5AwTpXxI0ZbBc6+ywX+vosGLr5LBl6+CwaOvcsGvr2LBu69SwcevQsHTrzLB368iweuvEsH3rwLCA67ywg+u4sIbrtLCJ61oCsIzrrLCP66iwkuuksJXroLCY65ywm+uYsJ7rlLCh65CwpOuMsKfriLCq64SwreuAsADrJLAD6yCwBuscsAnrGLAM6xSwD+sQsBHrDLAT6wiwFesEsBjrAA+2wMHgAgXUOwME6bcRNGVaBACwAOt8sALreLAF63SwCOtwsAvrbLAO62iwEetksBTrYLAX61ywGutYsB3rVLAg61CwIutMsCTrSLAn60SwKutAsC3rPLAw6ziwM+s0sDbrMLA56yywPOsosD/rJLBC6yCwRescsEjrGLBK6xSwTesQsFDrDLBT6wiwVusEsFnrAA+2wMHgAgUMPgME6SMRNGWwXOvssF/r6LBi6+SwZevgsGjr3LBr69iwbuvUsHHr0FoEALAA6zCwA+sssAbrKLAJ6ySwDOsgsA/rHLAR6xiwFOsUsBfrELAZ6wywHOsIsB/rBLAi6wAPtsDB4AIF0EMDBOm7EDRlWgMAuEQ+AwSQ6DUJNGXpqAtaAgC4tD4DBJDoJQk0ZenAH1oCALjwNgMEkOgVCTRl6bC/BAEAsADrfLAD63iwBut0sAnrcLAM62ywD+tosBLrZLAV62CwF+tcsBrrWLAc61SwH+tQsCPrTLAm60iwKetEsCzrQLAv6zywMus4sDXrNLA46zCwO+sssD7rKLBB6ySwROs= ----- END SNIP ----- Process Trace 1 C:\Program Files (x86)\eM Client\MailClient.exe [13028] 2 C:\Windows\explorer.exe [1156] Thumbprint 591157568d3be27e764a1b9cc30d9ef87466241ef7f77438b8515bb64f5f7f3f</Data> </EventData> </Event> If you need any further information, just let me know....
HitmanPro.Alert 3.7.9 Build 763 Release Candidate Changelog (compared to build 761) Added New Lolbin to Application Lockdown Improved Code Cave mitigation (system-wide) to detect rare Shellter Pro binaries configured with uncommon evasions technique Dynamic Heap Spray Mitigation to allow certain memory block patterns Download http://test.hitmanpro.com/hmpalert3b763.exe We will also auto-update the current 761 beta users. Please let us know how this version runs on your endpoints!