GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-24 16:54:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 OCZ-SOLID3 rev.2.15 111,79GB Running: td4zu4t1.exe; Driver: C:\Users\BM\AppData\Local\Temp\ugdcyaoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960000e5d90 8 bytes [5C, 02, 05, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000115a00 7 bytes [00, 58, F3, FF, 01, 66, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000115a08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1212] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077d0000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1212] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077d8f1da 5 bytes JMP 0000000077d48e27 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1688] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000771e8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\BM\AppData\Roaming\Dropbox\bin\Dropbox.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [2556] entry point in ".rdata" section 00000000709971e6 .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[3088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077401401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077401419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077401431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007740144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774014dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774014f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007740150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077401525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007740153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077401555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007740156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077401585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007740159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774015b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774015cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774016b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MonitorSoftware\jre\bin\javaw.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774016bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Gramblr\gramblr.exe[708] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text D:\Downloads\FRST64.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d0fae8 5 bytes JMP 00000000709634b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d0fc60 5 bytes JMP 0000000070962830 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d0fe24 5 bytes JMP 00000000709626c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d0feb8 5 bytes JMP 0000000070962c30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d0ff84 5 bytes JMP 0000000070962ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d10078 5 bytes JMP 00000000709629d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d107ac 5 bytes JMP 0000000070962d70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d10884 5 bytes JMP 0000000070963000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d1092c 5 bytes JMP 0000000070963290 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d11088 5 bytes JMP 0000000070962ec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d11100 5 bytes JMP 0000000070963150 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d2911f 5 bytes JMP 0000000070963420 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6268] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077daffe9 5 bytes JMP 0000000070963340 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[6724] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b34170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077b5bec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077b5bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b5c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b5c130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b5c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b5c250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b5c700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b5c790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b5c800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b5ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b5cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[780] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077bb26a0 5 bytes JMP 0000000000020568 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d0fae8 5 bytes JMP 00000000709634b0 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d0fc60 5 bytes JMP 0000000070962830 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d0fe24 5 bytes JMP 00000000709626c0 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d0feb8 5 bytes JMP 0000000070962c30 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d0ff84 5 bytes JMP 0000000070962ae0 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d10078 5 bytes JMP 00000000709629d0 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d107ac 5 bytes JMP 0000000070962d70 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d10884 5 bytes JMP 0000000070963000 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d1092c 5 bytes JMP 0000000070963290 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d11088 5 bytes JMP 0000000070962ec0 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d11100 5 bytes JMP 0000000070963150 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d2911f 5 bytes JMP 0000000070963420 .text D:\Downloads\td4zu4t1.exe[1928] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077daffe9 5 bytes JMP 0000000070963340 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff88001ab9364] \SystemRoot\system32\drivers\aswSP.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Program Files\Gramblr\gramblr.exe[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlUnlockHeap] [7fee9b68164] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlSizeHeap] [7fee9b68260] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlLockHeap] [7fee9b680e8] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlCreateHeap] [7fee9b67e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlDestroyHeap] [7fee9b68048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlExitUserProcess] [7fee9b682e4] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlExitUserProcess] [7fee9b682e4] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlLockHeap] [7fee9b680e8] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlUnlockHeap] [7fee9b68164] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlCreateHeap] [7fee9b67e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlDestroyHeap] [7fee9b68048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlValidateHeap] [7fee9b681c0] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlWalkHeap] [7fee9b68054] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\SYSTEM32\sechost.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlSizeHeap] [7fee9b68260] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\GDI32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\GDI32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ole32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ole32.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\ole32.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\mswsock.dll[ntdll.dll!RtlCreateHeap] [7fee9b67e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\mswsock.dll[ntdll.dll!RtlDestroyHeap] [7fee9b68048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\mswsock.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\mswsock.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\DNSAPI.dll[ntdll.dll!RtlCreateHeap] [7fee9b67e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\DNSAPI.dll[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\DNSAPI.dll[ntdll.dll!RtlDestroyHeap] [7fee9b68048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\DNSAPI.dll[ntdll.dll!RtlReAllocateHeap] [7fee9b673ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\DNSAPI.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!RtlFreeHeap] [7fee9b67a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\system32\IPHLPAPI.DLL[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\fwpuclnt.dll[KERNEL32.dll!GetProcAddress] [7fefd604230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\wship6.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Gramblr\gramblr.exe[708] @ C:\Windows\System32\wshtcpip.dll[ntdll.dll!RtlAllocateHeap] [7fee9b671cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5296:5804] 000007fefbc12ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5296:5820] 000007feeed18a28 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{5C55B7BA-68F9-4141-BC95-CB0ED10C2714}\Connection@Name isatap.{EE8673AD-7420-4AE6-B5D3-BA841584E40C} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{C26517D7-FF7B-44B5-9D81-F8EA6939D412}?\Device\{5C55B7BA-68F9-4141-BC95-CB0ED10C2714}?\Device\{5A0321DF-324C-469F-8337-DF3E09873A3C}?\Device\{39A5267C-3663-4AEF-8FF9-6CC8A865C70A}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{C26517D7-FF7B-44B5-9D81-F8EA6939D412}"?"{5C55B7BA-68F9-4141-BC95-CB0ED10C2714}"?"{5A0321DF-324C-469F-8337-DF3E09873A3C}"?"{39A5267C-3663-4AEF-8FF9-6CC8A865C70A}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{C26517D7-FF7B-44B5-9D81-F8EA6939D412}?\Device\TCPIP6TUNNEL_{5C55B7BA-68F9-4141-BC95-CB0ED10C2714}?\Device\TCPIP6TUNNEL_{5A0321DF-324C-469F-8337-DF3E09873A3C}?\Device\TCPIP6TUNNEL_{39A5267C-3663-4AEF-8FF9-6CC8A865C70A}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14913136491682291@SetupOperations ????????? P??????T???????????????????????????????????????w??????????????????????????????????????????????????????????????????????????????????os??t???????u????e?e?j?|?????e????6??????????????????????\??\P??STORAGE\Volume??????????????????????? ?????????????????????*?????????? ?&???????????????????????None????????????????????? ?????????????????????*????????????&???????????????????????6-21-2006????????????????????????????????????????????????e??????????????????????????USB Device????????N???????????D?????????????usb.inf?????????????????s????????~??????????????????????????#????????????????????e??????????????????????????????Microsoft???????????????????????????????????????????????ft??????????????????????????????????????????? ???9???????????????????????????r??????????? T??????T??????r?????????????????????????????7?as????H?X??????4???????????????????? ??????? ??????? ???????Commited?{???z??Microsoft?????r????????????e??????