GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-15 11:31:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000077 ATA_____ rev.A560 931.51GB Running: gmer.exe; Driver: C:\Users\Maria\AppData\Local\Temp\kgtyifog.sys ---- User code sections - GMER 2.2 ---- .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [0B, F4, 7E, 00, 00, 00, 00] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 0B, F4, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075bc1401 2 bytes JMP 75f6b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075bc1419 2 bytes JMP 75f6b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075bc1431 2 bytes JMP 75fe90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075bc144a 2 bytes CALL 75f448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075bc14dd 2 bytes JMP 75fe89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075bc14f5 2 bytes JMP 75fe8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075bc150d 2 bytes JMP 75fe88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075bc1525 2 bytes JMP 75fe8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075bc153d 2 bytes JMP 75f5fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075bc1555 2 bytes JMP 75f66937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075bc156d 2 bytes JMP 75fe91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075bc1585 2 bytes JMP 75fe8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075bc159d 2 bytes JMP 75fe88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075bc15b5 2 bytes JMP 75f5fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075bc15cd 2 bytes JMP 75f6b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075bc16b2 2 bytes JMP 75fe906c C:\Windows\syswow64\kernel32.dll .text C:\Users\Maria\AppData\Roaming\Dropbox\bin\Dropbox.exe[4660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075bc16bd 2 bytes JMP 75fe8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [3B, EA, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 3B, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\Cobian.exe[4760] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 9B, E8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes {WAIT ; CALL 0x84} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 9B, E8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes {JO 0xffffffffffffff9d; CALL 0x85} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 9B, E8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes {PUSH RAX; WAIT ; CALL 0x85} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes {WAIT ; CALL 0x85} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 9B, E8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\QNAP\Qsync\Qsync.exe[4768] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, EB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes {JMP 0xffffffffffffffef} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, EB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, EB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, EB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes {PUSH RAX; JMP 0xfffffffffffffff0} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes {JMP 0xfffffffffffffff0} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, EB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [0B, F1, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 0B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075bc1401 2 bytes JMP 75f6b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075bc1419 2 bytes JMP 75f6b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075bc1431 2 bytes JMP 75fe90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075bc144a 2 bytes CALL 75f448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075bc14dd 2 bytes JMP 75fe89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075bc14f5 2 bytes JMP 75fe8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075bc150d 2 bytes JMP 75fe88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075bc1525 2 bytes JMP 75fe8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075bc153d 2 bytes JMP 75f5fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075bc1555 2 bytes JMP 75f66937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075bc156d 2 bytes JMP 75fe91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075bc1585 2 bytes JMP 75fe8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075bc159d 2 bytes JMP 75fe88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075bc15b5 2 bytes JMP 75f5fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075bc15cd 2 bytes JMP 75f6b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075bc16b2 2 bytes JMP 75fe906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075bc16bd 2 bytes JMP 75fe8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [1B, F8, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 1B, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [CB, F0, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, CB, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4616] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [CB, ED, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [9B, F5, 7E, 00, 00, 00, 00] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 9B, F5, 7E, 00, 00, 00, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\AppData\Local\Dropbox\Update\DropboxUpdate.exe[5336] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077c81234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c812df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c81434 8 bytes [A0, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 0000000077c817bf 7 bytes [9B, EA, 7E, 00, 00, 00, 00] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 0000000077c819c4 8 bytes [80, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c81aa4 8 bytes [70, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c81c25 8 bytes [60, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c81d8f 8 bytes [50, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c81e75 8 bytes [40, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000077c820d8 8 bytes [30, 9B, EA, 7E, 00, 00, 00, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ccbc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ccbd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ccbdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ccbed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ccbf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ccc5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ccc800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ccd060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000743413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007434146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000743416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000743419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000743419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Maria\Desktop\serwis\tools\gmer.exe[212] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074341a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880044fead8] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\System32\CRYPT32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[4304] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [77e30010] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}\Connection@Name isatap.{89D2060A-4030-42C6-964B-0CA8FAE224C6} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{53835286-F870-4E83-8A7C-B93DD73B1E06}?\Device\{23EE97F7-CC9F-40ED-A698-F8B3E5292FA5}?\Device\{85744E75-C925-42FD-98CA-97FF54255C65}?\Device\{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}?\Device\{EBEBC09C-A2AA-427A-9A64-73619D1C6909}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{53835286-F870-4E83-8A7C-B93DD73B1E06}"?"{23EE97F7-CC9F-40ED-A698-F8B3E5292FA5}"?"{85744E75-C925-42FD-98CA-97FF54255C65}"?"{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}"?"{EBEBC09C-A2AA-427A-9A64-73619D1C6909}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{53835286-F870-4E83-8A7C-B93DD73B1E06}?\Device\TCPIP6TUNNEL_{23EE97F7-CC9F-40ED-A698-F8B3E5292FA5}?\Device\TCPIP6TUNNEL_{85744E75-C925-42FD-98CA-97FF54255C65}?\Device\TCPIP6TUNNEL_{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}?\Device\TCPIP6TUNNEL_{EBEBC09C-A2AA-427A-9A64-73619D1C6909}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532eb43eca Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532eb43eca@b8d9ce9b3645 0x83 0xD6 0xD0 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532eb43eca@bcf5ac62f7dc 0xB2 0xEE 0x20 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532eb43eca@14a36400fcaf 0x51 0xB5 0x01 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\88532eb43eca@b869c2cb363f 0x95 0x12 0xCE 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}@InterfaceName isatap.{89D2060A-4030-42C6-964B-0CA8FAE224C6} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CC3AC338-64C8-4147-BF8A-E65DDBFD2AF7}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532eb43eca (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532eb43eca@b8d9ce9b3645 0x83 0xD6 0xD0 0xF9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532eb43eca@bcf5ac62f7dc 0xB2 0xEE 0x20 0x2A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532eb43eca@14a36400fcaf 0x51 0xB5 0x01 0x40 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\88532eb43eca@b869c2cb363f 0x95 0x12 0xCE 0xF6 ... ---- EOF - GMER 2.2 ----