GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-05 22:39:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.JE3Z 465,76GB Running: dtu0xx35.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwrdypob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f1000 45 bytes [00, 10, 50, 07, A0, F8, FF, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031f102f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] .text C:\windows\System32\win32k.sys!XLATEOBJ_iXlate + 665 fffff960000eb82d 13 bytes {MOV EAX, 0x452a37c; CMP AL, 0xff; CALL QWORD [RAX-0x3d]} .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000134200 7 bytes [40, A3, F3, FF, 01, B5, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000134208 3 bytes [C0, 06, 02] .text ... * 105 .text C:\windows\System32\win32k.sys!EngQueryW32kCddInterface + 784 fffff960001f34cc 15 bytes [48, B8, 3C, BA, 52, 04, 80, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\taskhost.exe[2252] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 05, 00, 00, 00, ...] .text C:\windows\system32\taskhost.exe[2252] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 05, 00, 00, ...] .text C:\windows\system32\taskhost.exe[2252] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\windows\system32\taskhost.exe[2252] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 05, 00, 00, 00, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2560] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074fa8791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2560] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074ea1465 2 bytes [EA, 74] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2560] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074ea14bb 2 bytes [EA, 74] .text ... * 2 .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 06, 00, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 06, 00, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 06] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 06] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 06] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 06] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\windows\Explorer.EXE[2540] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\SHLWAPI.dll!ShellMessageBoxW 000007fefecef8c0 5 bytes JMP 000007fffecb00d8 .text C:\windows\Explorer.EXE[2540] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\samcli.dll!NetUserSetInfo + 1 000007fefad168bd 14 bytes [B8, B0, 25, 06, 00, 00, 00, ...] .text C:\windows\Explorer.EXE[2540] C:\windows\system32\samcli.dll!NetUserChangePassword 000007fefad17e18 15 bytes [48, B8, 68, 26, 06, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 16, 00, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 16, 00, 00, 00, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 16] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 16] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 16] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 16] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 16, 00] .text C:\Windows\System32\hkcmd.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 06, 00, 00, 00, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 06, 00, 00, 00, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 06] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 06] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 06] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 06] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3580] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 06] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 06] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 06] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 06] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Sandboxie\SbieCtrl.exe[3596] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 0D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001000d11e5 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001000d1229 .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 0D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 0D] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ea1465 2 bytes [EA, 74] .text C:\Program Files (x86)\Internet Download Manager\IDMan.exe[3696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ea14bb 2 bytes [EA, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 0D, 00, 50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\KERNEL32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001000d11e5 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\KERNEL32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001000d1229 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 0D, 00, 50, C3] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 0D] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3784] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 02, 00, 50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001000211e5 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 0000000100021229 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 02, 00, 50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 02, 00, 50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 02, 00, 50, C3] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 02] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3800] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 02, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 1D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001001d11e5 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001001d1229 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 1D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 1D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 1D, 00, 50, C3] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 1D] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3860] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 1D, 00, 50, C3, ...] .text C:\windows\system32\taskeng.exe[3244] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\windows\system32\taskeng.exe[3244] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\windows\system32\taskeng.exe[3244] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\windows\system32\taskeng.exe[3244] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001001d11e5 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001001d1229 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 1D, 00, 50, C3] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 1D, 00, 50, C3] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 1D, 00, 50, C3] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 1D] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 1D, 00, 50, C3, ...] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 1D] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 1D] .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[1928] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 0D, 00, 50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001000d11e5 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001000d1229 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 0D, 00, 50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 0D, 00, 50, C3] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 0D] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ea1465 2 bytes [EA, 74] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ea14bb 2 bytes [EA, 74] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2820] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 0D, 00, 50, C3, ...] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 15] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 15] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 15] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 15] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 15, 00, 50, C3, ...] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 15, 00, 50, C3] .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001001511e5 .text C:\Program Files (x86)\Astrill\astrill.exe[120] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 0000000100151229 .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 06, 00, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 06, 00, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 06] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 06] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 06] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 06] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\SAMCLI.DLL!NetUserSetInfo + 1 000007fefad168bd 14 bytes [B8, B0, 25, 06, 00, 00, 00, ...] .text C:\Program Files\Eraser\Eraser.exe[5780] C:\windows\system32\SAMCLI.DLL!NetUserChangePassword 000007fefad17e18 15 bytes [48, B8, 68, 26, 06, 00, 00, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077163b11 12 bytes [B8, 64, 6E, 06, 00, 00, 00, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077167ac1 11 bytes [B8, 78, 6D, 06, 00, 00, 00, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000771917b0 5 bytes [48, B8, 78, 13, 06] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000771917b8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077191800 5 bytes [48, B8, 88, 23, 06] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077191808 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000771919f0 5 bytes [48, B8, 98, 21, 06] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000771919f8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077191bd0 5 bytes [48, B8, F8, 22, 06] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 0000000077191bd8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000771927a0 6 bytes [48, B8, 54, 22, 06, 00] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000771927a8 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\system32\kernel32.dll!SetFileCompletionNotificationModes 0000000076f70880 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefd86de91 14 bytes [B8, BC, 8A, 06, 00, 00, 00, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefd887490 8 bytes [48, B8, 2C, 8A, 06, 00, 00, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\system32\ole32.dll!CoCreateInstance + 10 000007fefd88749a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Program Files\Rainmeter\Rainmeter.exe[5872] C:\windows\system32\ole32.dll!CoGetClassObject + 1 000007fefd892e19 14 bytes [B8, 2C, 8B, 06, 00, 00, 00, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 08, 00, 50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001000811e5 .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 0000000100081229 .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 08, 00, 50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!RegisterClassW + 237 00000000759f8b52 8 bytes [B8, D7, 56, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 08, 00, 50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 08, 00, 50, C3] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 08] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 08, 00, 50, C3, ...] .text C:\Program Files\Sandboxie\32\SbieSvc.exe[6324] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 08, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000773400b5 3 bytes [08, 1A, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773400b9 2 bytes [50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000773403b9 3 bytes [96, 19, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000773403bd 2 bytes [50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 1 0000000077340695 3 bytes [E2, 19, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtConnectPort + 5 0000000077340699 2 bytes [50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000773418c1 3 bytes [BC, 19, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000773418c5 2 bytes [50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007735c4dd 10 bytes [B8, 7A, 7B, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077361287 7 bytes [B8, F9, 6D, 1D, 00, 50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000074fa4322 7 bytes JMP 00000001001d11e5 .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\kernel32.dll!VirtualAllocExNuma + 11 0000000075024afa 7 bytes JMP 00000001001d1229 .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetMessageW 00000000759f78e2 8 bytes [B8, 28, 1C, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetMessageA 00000000759f7bd3 8 bytes [B8, E0, 1B, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!SetWindowLongW 00000000759f8332 7 bytes [B8, DD, 18, 1D, 00, 50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!PeekMessageW 0000000075a005ba 11 bytes [B8, BB, 1C, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetKeyState 0000000075a0291f 11 bytes [B8, DA, 6E, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!PeekMessageA 0000000075a05f74 11 bytes [B8, 70, 1C, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!SetWindowLongA 0000000075a06110 7 bytes [B8, B7, 18, 1D, 00, 50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075a06285 12 bytes [B8, 28, 70, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075a1eb96 7 bytes [B8, 2D, 6E, 1D, 00, 50, C3] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetKeyboardState + 1 0000000075a1ec69 3 bytes [87, 6F, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetKeyboardState + 5 0000000075a1ec6d 5 bytes [50, C3, 90, 90, 90] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetRawInputBuffer 0000000075a4816c 11 bytes [B8, BB, 51, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetRawInputData + 1 0000000075a58370 3 bytes [66, 51, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!GetRawInputData + 5 0000000075a58374 5 bytes [50, C3, 90, 90, 90] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!EndTask + 1 0000000075a5a7ef 3 bytes [4F, 19, 1D] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\USER32.dll!EndTask + 5 0000000075a5a7f3 5 bytes [50, C3, 90, 90, 90] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076b954ad 10 bytes [B8, 0A, 65, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ba9d0b 8 bytes [B8, 8B, 7E, 1D, 00, 50, C3, ...] .text D:\IDM\Programs\dtu0xx35.exe[5812] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076ba9d4e 9 bytes [B8, E4, 64, 1D, 00, 50, C3, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IofCompleteRequest] [fffff88004530e70] \??\C:\Program Files (x86)\SpyShelter Firewall\SpyShelter.sys [.text] ---- Services - GMER 2.1 ---- Service ????????????????????????????" (*** hidden *** ) [DISABLED] <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819eb8b1a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819eb8b1a (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\....\ 0 bytes File C:\....\\.... 0 bytes File C:\....\\....\hidefolder 0 bytes File C:\....\\....\hidefolder\hide 0 bytes File C:\....\\....\hidefolder\hide\atom.PNG 598604 bytes File C:\....\\....\hidefolder\hide\atom2.PNG 500860 bytes File C:\....\\....\hidefolder\hide\atom3.PNG 500070 bytes File C:\....\\....\hidefolder\hide\_config.ini 266 bytes ---- EOF - GMER 2.1 ----