GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-09 21:19:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: smlhdu49.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Aladdin\HASP LM\nhsrvice.exe[1676] C:\windows\syswow64\kernel32.dll!ExitProcess 00000000751d79b0 5 bytes JMP 000000000043b37e .text C:\windows\SysWOW64\ntdll.dll[1840] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007732fab8 5 bytes JMP 00000000747e2b10 .text C:\windows\SysWOW64\ntdll.dll[1840] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077330048 5 bytes JMP 00000000747e2ad0 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd120038 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1200b8 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffb65f8} .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefee06d10 5 bytes JMP 000007fefd120138 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\WINMM.dll!waveOutReset 000007fef971a38c 5 bytes JMP 000007fefd1202b8 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9734b60 5 bytes JMP 000007fefd120238 .text C:\windows\system32\taskhost.exe[2088] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9734ba0 5 bytes JMP 000007fefd1201b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076f26420 5 bytes JMP 0000000069ff0038 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd140038 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1400b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffd65f8} .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefee06d10 5 bytes JMP 000007fefd140138 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\WINMM.dll!waveOutReset 000007fef971a38c 5 bytes JMP 000007fefd1402b8 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9734b60 5 bytes JMP 000007fefd140238 .text C:\Program Files\Elantech\ETDCtrl.exe[2512] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9734ba0 5 bytes JMP 000007fefd1401b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076f26420 5 bytes JMP 0000000069ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd140038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1400b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffd65f8} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\WINMM.dll!waveOutReset 000007fef971a38c 5 bytes JMP 000007fefd1402b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9734b60 5 bytes JMP 000007fefd140238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9734ba0 5 bytes JMP 000007fefd1401b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2648] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefee06d10 5 bytes JMP 000007fefd140138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2676] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076f26420 5 bytes JMP 0000000069ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2676] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd140038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2676] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1400b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2676] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffd65f8} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076f26420 5 bytes JMP 0000000069ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd140038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1400b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffd65f8} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefee06d10 5 bytes JMP 000007fefd140138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\WINMM.dll!waveOutReset 000007fef971a38c 5 bytes JMP 000007fefd1402b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9734b60 5 bytes JMP 000007fefd140238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2940] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9734ba0 5 bytes JMP 000007fefd1401b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076f26420 5 bytes JMP 0000000069ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd15c750 5 bytes JMP 000007fefd140038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd169ac0 1 byte JMP 000007fefd1400b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 2 000007fefd169ac2 3 bytes {JMP 0xfffffffffffd65f8} .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefee06d10 5 bytes JMP 000007fefd140138 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\WINMM.dll!waveOutReset 000007fef971a38c 5 bytes JMP 000007fefd1402b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\WINMM.dll!waveOutPause 000007fef9734b60 5 bytes JMP 000007fefd140238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4140] C:\windows\system32\WINMM.dll!waveOutRestart 000007fef9734ba0 5 bytes JMP 000007fefd1401b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4376] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000751d48b3 5 bytes JMP 00000000100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4376] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000751d48cb 5 bytes JMP 00000000100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4376] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 00000000751d48fd 5 bytes JMP 0000000010002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4376] C:\windows\syswow64\ole32.dll!CoCreateInstance 00000000750a9cbb 5 bytes JMP 0000000010002900 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4568] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000751d48b3 5 bytes JMP 00000000100027c0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4568] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000751d48cb 5 bytes JMP 00000000100028a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4568] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000751d48fd 5 bytes JMP 0000000010002830 .text C:\Program Files (x86)\CardDetector\HUAWEI1752_1552\CardDetector.exe[4420] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000751d48b3 5 bytes JMP 0000000001ce27c0 .text C:\Program Files (x86)\CardDetector\HUAWEI1752_1552\CardDetector.exe[4420] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000751d48cb 5 bytes JMP 0000000001ce28a0 .text C:\Program Files (x86)\CardDetector\HUAWEI1752_1552\CardDetector.exe[4420] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000751d48fd 5 bytes JMP 0000000001ce2830 .text C:\Program Files (x86)\CardDetector\HUAWEI1752_1552\CardDetector.exe[4420] C:\windows\syswow64\ole32.dll!CoCreateInstance 00000000750a9cbb 5 bytes JMP 0000000001ce2900 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5012] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000751d48b3 5 bytes JMP 00000000100027c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5012] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000751d48cb 5 bytes JMP 00000000100028a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5012] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000751d48fd 5 bytes JMP 0000000010002830 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5012] C:\windows\syswow64\ole32.dll!CoCreateInstance 00000000750a9cbb 5 bytes JMP 0000000010002900 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [2B, F6, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, 2B, F6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5872] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [BB, EE, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, BB, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075bc1401 2 bytes JMP 751fb233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075bc1419 2 bytes JMP 751fb35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075bc1431 2 bytes JMP 75279149 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075bc144a 2 bytes CALL 751d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075bc14dd 2 bytes JMP 75278a42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075bc14f5 2 bytes JMP 75278c18 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075bc150d 2 bytes JMP 75278938 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075bc1525 2 bytes JMP 75278d02 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075bc153d 2 bytes JMP 751efcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075bc1555 2 bytes JMP 751f6907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075bc156d 2 bytes JMP 75279201 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075bc1585 2 bytes JMP 75278d62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075bc159d 2 bytes JMP 752788fc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075bc15b5 2 bytes JMP 751efd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075bc15cd 2 bytes JMP 751fb2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075bc16b2 2 bytes JMP 752790c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6036] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075bc16bd 2 bytes JMP 75278891 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [5B, F7, FF, 00, 00, 00, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, 5B, F7, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [CB, F3, FF, 00, 00, 00, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, CB, F3, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3352] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, EB, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes {JMP 0xfffffffffffffff4} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, EB, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, EB, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, EB, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes {PUSH RAX; JMP 0xfffffffffffffff5} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes {JMP 0xfffffffffffffff5} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, EB, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2384] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, EB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes {JMP 0xffffffffffffffea} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, EB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes {JO 0xffffffffffffffed; CALL 0x106} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, EB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes {PUSH RAX; JMP 0xffffffffffffffeb} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes {JMP 0xffffffffffffffeb} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes {XOR BL, CH; CALL 0x106} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3136] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [BB, E8, FF, 00, 00, 00, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes {JO 0xffffffffffffffbd; CALL 0x106} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, BB, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3040] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077131234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771312df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077131434 8 bytes [A0, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000771317bf 7 bytes [3B, F4, 7E, 00, 00, 00, 00] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000771319c4 8 bytes [80, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077131aa4 8 bytes [70, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077131c25 8 bytes [60, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077131d8f 8 bytes [50, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077131e75 8 bytes [40, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000771320d8 8 bytes [30, 3B, F4, 7E, 00, 00, 00, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007717bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007717bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007717bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007717bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007717bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007717c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007717c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007717d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b313cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b3146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b319db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b319fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\user\Desktop\POMOC\smlhdu49.exe[3448] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b31a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88002335750] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.2 ---- Thread C:\windows\SysWOW64\ntdll.dll [1840:1844] 0000000000bd55aa ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af68560 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af68560@5c17d3b57cdd 0xAF 0x32 0xF8 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af68560@1cc59246cdeb 0x01 0x29 0x25 0x7D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af68560 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af68560@5c17d3b57cdd 0xAF 0x32 0xF8 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af68560@1cc59246cdeb 0x01 0x29 0x25 0x7D ... ---- EOF - GMER 2.2 ----