GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-18 23:22:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM000-1EJ162 rev.SM14 465,76GB Running: 6lzgf1lk.exe; Driver: C:\Users\Natalcia\AppData\Local\Temp\pxldapog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [6B, EB, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes {JO 0x6d; JMP 0x82} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, 6B, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3400] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [7B, EE, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, 7B, EE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [2B, F7, 7E, 00, 00, 00, 00] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, 2B, F7, 7E, 00, 00, 00, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [DB, F1, 7E, 00, 00, 00, 00] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, DB, F1, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [2B, EF, 7E, 00, 00, 00, 00] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, 2B, EF, 7E, 00, 00, 00, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[4688] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [2B, F8, 7E, 00, 00, 00, 00] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, 2B, F8, 7E, 00, 00, 00, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076471401 2 bytes JMP 75cfb233 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076471419 2 bytes JMP 75cfb35e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076471431 2 bytes JMP 75d79149 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007647144a 2 bytes CALL 75cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764714dd 2 bytes JMP 75d78a42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764714f5 2 bytes JMP 75d78c18 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007647150d 2 bytes JMP 75d78938 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076471525 2 bytes JMP 75d78d02 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007647153d 2 bytes JMP 75cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076471555 2 bytes JMP 75cf6907 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007647156d 2 bytes JMP 75d79201 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076471585 2 bytes JMP 75d78d62 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007647159d 2 bytes JMP 75d788fc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764715b5 2 bytes JMP 75cefd59 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764715cd 2 bytes JMP 75cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764716b2 2 bytes JMP 75d790c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\UvConverter\UvConverter.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764716bd 2 bytes JMP 75d78891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077461234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077461434 8 bytes [A0, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000774617bf 7 bytes [AB, F7, 7E, 00, 00, 00, 00] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000774619c4 8 bytes [80, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077461aa4 8 bytes [70, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077461c25 8 bytes [60, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077461d8f 8 bytes [50, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077461e75 8 bytes [40, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000774620d8 8 bytes [30, AB, F7, 7E, 00, 00, 00, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000739413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007394146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000739416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000739419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000739419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Natalcia\Downloads\6lzgf1lk.exe[6640] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073941a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880042ef750] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.2 ---- Thread [3436:1512] 0000000072c0ea50 Thread [3436:2564] 0000000077691697 Thread [3436:1060] 00000000736bc59c Thread [3436:2188] 00000000736bc59c Thread [3436:4100] 00000000736bc59c Thread [3436:4104] 00000000736bc59c Thread [3436:4148] 00000000736bc59c Thread [3436:4152] 00000000736bc59c Thread [3436:4196] 00000000736bc59c Thread [3436:5656] 000000006a667ed5 Thread [3436:5660] 000000006a646088 Thread [3436:4240] 00000000736bc59c Thread [3436:5432] 000000006a646088 Thread [3436:5216] 0000000065f0d17c Thread [3436:2184] 0000000062ce78c3 Thread [3436:5136] 000000006a646088 Thread [3436:5148] 00000000762612e5 Thread [3436:2240] 00000000762612e5 Thread [3436:6660] 0000000077697ad8 Thread [3436:2504] 0000000077697ad8 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000000ef0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Core.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074680000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\MSVCP120.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074c90000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\MSVCR120.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074ba0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\CCFIPC.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074b70000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\LIBEAY32.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074550000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Network.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074470000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\ssleay32.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [1604] 0000000074420000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 00000000013e0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Core.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074680000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\MSVCP120.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074c90000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\MSVCR120.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074ba0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\CCFIPC.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074b70000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\LIBEAY32.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074550000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\fs_ccf_datapipeline_32s.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074380000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5OpenGL.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 00000000743d0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Widgets.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 000000006a100000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Gui.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000069c50000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Quick.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073250000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Qml.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074100000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Network.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074470000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\platforms\qwindows.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074000000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\imageformats\qsvg.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073ff0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Qt5Svg.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073fb0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\QtQuick.2\qtquick2plugin.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074b60000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\QtQuick\Controls\qtquickcontrolsplugin.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 00000000731a0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\QtQuick\Window.2\windowplugin.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073fa0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\QtQuick\Layouts\qquicklayoutsplugin.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073f80000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\libEGL.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000073f70000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\libGLESv2.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000072e90000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\d3dcompiler_47.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 00000000698f0000 Library C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\ssleay32.dll (*** suspicious ***) @ C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [6052] 0000000074420000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6427378b8b0d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6427378b8b0d@a87b39af157d 0x79 0xB5 0xA3 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6427378b8b0d@74458a5d7fac 0xF0 0x39 0xCE 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6427378b8b0d@5cb524c929b0 0xC8 0x6C 0x94 0x62 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6427378b8b0d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6427378b8b0d@a87b39af157d 0x79 0xB5 0xA3 0x2A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6427378b8b0d@74458a5d7fac 0xF0 0x39 0xCE 0xD6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6427378b8b0d@5cb524c929b0 0xC8 0x6C 0x94 0x62 ... ---- EOF - GMER 2.2 ----