GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-26 21:25:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0003SDM1 298,09GB Running: 7cjti3lk.exe; Driver: C:\Users\Adam\AppData\Local\Temp\kxldrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73260 6 bytes {JMP QWORD [RIP+0x84ccdd0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9dca0 6 bytes {JMP QWORD [RIP+0x8482390]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b9dd70 6 bytes {JMP QWORD [RIP+0x8c222c0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b9de70 6 bytes {JMP QWORD [RIP+0x8ac21c0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b9dee0 6 bytes {JMP QWORD [RIP+0x8ba2150]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b9df20 6 bytes {JMP QWORD [RIP+0x8b62110]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b9dfc0 6 bytes {JMP QWORD [RIP+0x8bc2070]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b9e030 6 bytes {JMP QWORD [RIP+0x89c2000]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b9e050 6 bytes {JMP QWORD [RIP+0x8b41fe0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b9e090 6 bytes {JMP QWORD [RIP+0x8a41fa0]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b9e0e0 6 bytes {JMP QWORD [RIP+0x8a61f50]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b9e100 6 bytes {JMP QWORD [RIP+0x8b81f30]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b9e2f0 6 bytes {JMP QWORD [RIP+0x8c61d40]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b9e300 6 bytes {JMP QWORD [RIP+0x8981d30]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b9e400 6 bytes {JMP QWORD [RIP+0x8961c30]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b9e4d0 6 bytes {JMP QWORD [RIP+0x8ae1b60]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b9e510 6 bytes {JMP QWORD [RIP+0x89e1b20]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b9e580 4 bytes [FF, 25, B0, 1A] .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 5 0000000077b9e585 1 byte [08] .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b9e5b0 6 bytes {JMP QWORD [RIP+0x8a21a80]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b9e610 6 bytes {JMP QWORD [RIP+0x8a01a20]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b9e620 6 bytes {JMP QWORD [RIP+0x8be1a10]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b9e630 6 bytes {JMP QWORD [RIP+0x8c41a00]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b9e9a0 6 bytes {JMP QWORD [RIP+0x8b01690]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b9ea30 6 bytes {JMP QWORD [RIP+0x8c01600]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b9f2a0 6 bytes {JMP QWORD [RIP+0x8b20d90]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b9f320 6 bytes {JMP QWORD [RIP+0x8a80d10]} .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b9f3a0 6 bytes {JMP QWORD [RIP+0x8aa0c90]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73260 6 bytes {JMP QWORD [RIP+0x84ccdd0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9dca0 6 bytes {JMP QWORD [RIP+0x8482390]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b9dd70 6 bytes {JMP QWORD [RIP+0x8c222c0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b9de70 6 bytes {JMP QWORD [RIP+0x8ac21c0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b9dee0 6 bytes {JMP QWORD [RIP+0x8ba2150]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b9df20 6 bytes {JMP QWORD [RIP+0x8b62110]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b9dfc0 6 bytes {JMP QWORD [RIP+0x8bc2070]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b9e030 6 bytes {JMP QWORD [RIP+0x89c2000]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b9e050 6 bytes {JMP QWORD [RIP+0x8b41fe0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b9e090 6 bytes {JMP QWORD [RIP+0x8a41fa0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b9e0e0 6 bytes {JMP QWORD [RIP+0x8a61f50]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b9e100 6 bytes {JMP QWORD [RIP+0x8b81f30]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b9e2f0 6 bytes {JMP QWORD [RIP+0x8c61d40]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b9e300 6 bytes {JMP QWORD [RIP+0x8981d30]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b9e400 6 bytes {JMP QWORD [RIP+0x8961c30]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b9e4d0 6 bytes {JMP QWORD [RIP+0x8ae1b60]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b9e510 6 bytes {JMP QWORD [RIP+0x89e1b20]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b9e580 4 bytes [FF, 25, B0, 1A] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 5 0000000077b9e585 1 byte [08] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b9e5b0 6 bytes {JMP QWORD [RIP+0x8a21a80]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b9e610 6 bytes {JMP QWORD [RIP+0x8a01a20]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b9e620 6 bytes {JMP QWORD [RIP+0x8be1a10]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b9e630 6 bytes {JMP QWORD [RIP+0x8c41a00]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b9e9a0 6 bytes {JMP QWORD [RIP+0x8b01690]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b9ea30 6 bytes {JMP QWORD [RIP+0x8c01600]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b9f2a0 6 bytes {JMP QWORD [RIP+0x8b20d90]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b9f320 6 bytes {JMP QWORD [RIP+0x8a80d10]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b9f3a0 6 bytes {JMP QWORD [RIP+0x8aa0c90]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73260 6 bytes {JMP QWORD [RIP+0x84ccdd0]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9dca0 6 bytes {JMP QWORD [RIP+0x8482390]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b9dd70 6 bytes {JMP QWORD [RIP+0x8c222c0]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b9de70 6 bytes {JMP QWORD [RIP+0x8ac21c0]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b9dee0 6 bytes {JMP QWORD [RIP+0x8ba2150]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b9df20 6 bytes {JMP QWORD [RIP+0x8b62110]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b9dfc0 6 bytes {JMP QWORD [RIP+0x8bc2070]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b9e030 6 bytes {JMP QWORD [RIP+0x89c2000]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b9e050 6 bytes {JMP QWORD [RIP+0x8b41fe0]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b9e090 6 bytes {JMP QWORD [RIP+0x8a41fa0]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b9e0e0 6 bytes {JMP QWORD [RIP+0x8a61f50]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b9e100 6 bytes {JMP QWORD [RIP+0x8b81f30]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b9e2f0 6 bytes {JMP QWORD [RIP+0x8c61d40]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b9e300 6 bytes {JMP QWORD [RIP+0x8981d30]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b9e400 6 bytes {JMP QWORD [RIP+0x8961c30]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b9e4d0 6 bytes {JMP QWORD [RIP+0x8ae1b60]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b9e510 6 bytes {JMP QWORD [RIP+0x89e1b20]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b9e580 4 bytes [FF, 25, B0, 1A] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 5 0000000077b9e585 1 byte [08] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b9e5b0 6 bytes {JMP QWORD [RIP+0x8a21a80]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b9e610 6 bytes {JMP QWORD [RIP+0x8a01a20]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b9e620 6 bytes {JMP QWORD [RIP+0x8be1a10]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b9e630 6 bytes {JMP QWORD [RIP+0x8c41a00]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b9e9a0 6 bytes {JMP QWORD [RIP+0x8b01690]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b9ea30 6 bytes {JMP QWORD [RIP+0x8c01600]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b9f2a0 6 bytes {JMP QWORD [RIP+0x8b20d90]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b9f320 6 bytes {JMP QWORD [RIP+0x8a80d10]} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b9f3a0 6 bytes {JMP QWORD [RIP+0x8aa0c90]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73260 6 bytes {JMP QWORD [RIP+0x84ccdd0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9dca0 6 bytes {JMP QWORD [RIP+0x8482390]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b9dd70 6 bytes JMP 8c22388 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b9de70 6 bytes JMP 2 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b9dee0 6 bytes JMP 3000 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b9df20 6 bytes JMP 8b620e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b9dfc0 6 bytes JMP 72615b9 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b9e030 6 bytes JMP 2a003b .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b9e050 6 bytes JMP 8b41fb0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b9e090 6 bytes {JMP QWORD [RIP+0x8a41fa0]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b9e0e0 6 bytes {JMP QWORD [RIP+0x8a61f50]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b9e100 6 bytes JMP 966a6bb .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b9e2f0 6 bytes JMP 12003d .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b9e300 6 bytes JMP 3a7dc81 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b9e400 6 bytes JMP b5dc481 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b9e4d0 6 bytes JMP 57004f .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b9e510 6 bytes JMP 2b003b .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b9e580 4 bytes JMP 15 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 5 0000000077b9e585 1 byte [08] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b9e5b0 6 bytes JMP 88e34 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b9e610 6 bytes JMP aefe260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b9e620 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b9e630 6 bytes JMP 8eb7a21 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b9e9a0 6 bytes JMP 4c0049 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b9ea30 6 bytes JMP 8f96578 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b9f2a0 6 bytes JMP a5a80 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b9f320 6 bytes {JMP QWORD [RIP+0x8a80d10]} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b9f3a0 6 bytes JMP 6e52879 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077a4dbc0 6 bytes JMP 861ce92 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefdadb022 3 bytes [E8, 4F, 06] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdae60e0 5 bytes [FF, 25, 50, 9F, 0A] .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73260 6 bytes {JMP QWORD [RIP+0x84ccdd0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077b9dca0 6 bytes {JMP QWORD [RIP+0x8482390]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077b9dd70 6 bytes {JMP QWORD [RIP+0x8c222c0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b9de70 6 bytes {JMP QWORD [RIP+0x8ac21c0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077b9dee0 6 bytes {JMP QWORD [RIP+0x8ba2150]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b9df20 6 bytes {JMP QWORD [RIP+0x8b62110]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077b9dfc0 6 bytes {JMP QWORD [RIP+0x8bc2070]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b9e030 6 bytes {JMP QWORD [RIP+0x89c2000]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b9e050 6 bytes {JMP QWORD [RIP+0x8b41fe0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b9e090 6 bytes {JMP QWORD [RIP+0x8a41fa0]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b9e0e0 6 bytes {JMP QWORD [RIP+0x8a61f50]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077b9e100 6 bytes {JMP QWORD [RIP+0x8b81f30]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077b9e2f0 6 bytes {JMP QWORD [RIP+0x8c61d40]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077b9e300 6 bytes {JMP QWORD [RIP+0x8981d30]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b9e400 6 bytes {JMP QWORD [RIP+0x8961c30]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077b9e4d0 6 bytes {JMP QWORD [RIP+0x8ae1b60]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b9e510 6 bytes {JMP QWORD [RIP+0x89e1b20]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b9e580 4 bytes [FF, 25, B0, 1A] .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 5 0000000077b9e585 1 byte [08] .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreatePort 0000000077b9e5b0 6 bytes {JMP QWORD [RIP+0x8a21a80]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b9e610 6 bytes {JMP QWORD [RIP+0x8a01a20]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077b9e620 6 bytes {JMP QWORD [RIP+0x8be1a10]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b9e630 6 bytes {JMP QWORD [RIP+0x8c41a00]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b9e9a0 6 bytes {JMP QWORD [RIP+0x8b01690]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077b9ea30 6 bytes {JMP QWORD [RIP+0x8c01600]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b9f2a0 6 bytes {JMP QWORD [RIP+0x8b20d90]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b9f320 6 bytes {JMP QWORD [RIP+0x8a80d10]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b9f3a0 6 bytes {JMP QWORD [RIP+0x8aa0c90]} .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefdea3e80 6 bytes {JMP QWORD [RIP+0x10c1b0]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d4fa2c 3 bytes JMP 71af000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077d4fa30 2 bytes JMP 71af000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077d4fb74 3 bytes JMP 70d0000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 4 0000000077d4fb78 2 bytes JMP 70d0000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcfc 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077d4fd00 2 bytes [F0, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d4fdb0 3 bytes JMP 70dc000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077d4fdb4 2 bytes JMP 70dc000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077d4fe14 3 bytes JMP 70e2000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077d4fe18 2 bytes JMP 70e2000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077d4ff0c 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077d4ff10 2 bytes [D8, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d4ffc0 3 bytes JMP 7109000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent + 4 0000000077d4ffc4 2 bytes JMP 7109000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077d4fff0 3 bytes JMP 70e5000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077d4fff4 2 bytes JMP 70e5000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d50050 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077d50054 2 bytes [FC, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d500d0 3 bytes JMP 70fa000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077d500d4 2 bytes JMP 70fa000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d50100 3 bytes JMP 70df000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077d50104 2 bytes JMP 70df000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077d50404 3 bytes JMP 70ca000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077d50408 2 bytes JMP 70ca000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077d5041c 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 4 0000000077d50420 2 bytes [0E, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077d5059c 3 bytes JMP 7112000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077d505a0 2 bytes JMP 7112000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077d506e0 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077d506e4 2 bytes [ED, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair 0000000077d50740 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEventPair + 4 0000000077d50744 2 bytes [05, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d507e8 3 bytes JMP 710c000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 4 0000000077d507ec 2 bytes JMP 710c000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort 0000000077d50830 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreatePort + 4 0000000077d50834 2 bytes [FF, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d508c0 3 bytes JMP 7103000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore + 4 0000000077d508c4 2 bytes JMP 7103000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d508d8 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077d508dc 2 bytes [D5, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d508f0 3 bytes JMP 70cd000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077d508f4 2 bytes JMP 70cd000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d50e40 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077d50e44 2 bytes [EA, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077d50f24 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077d50f28 2 bytes [D2, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d51c30 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077d51c34 2 bytes [E7, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077d51d00 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077d51d04 2 bytes [F6, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077d51dd8 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077d51ddc 2 bytes [F3, 70] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d73bfb 6 bytes JMP 71a8000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076d13bab 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076d13baf 2 bytes [9B, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000771af784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 00000000771b2ca4 4 bytes CALL 71ac0000 .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075778332 6 bytes JMP 716c000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075778bff 6 bytes JMP 7160000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000757790d3 6 bytes {JMP QWORD [RIP+0x711a001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075779679 6 bytes JMP 715a000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000757797d2 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007577ee09 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007577efc9 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007577efcd 2 bytes [20, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000757812a5 6 bytes JMP 7166000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007578291f 6 bytes JMP 7139000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetParent 0000000075782d64 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075782d68 2 bytes [2F, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075782da4 6 bytes JMP 7118000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075783698 3 bytes JMP 712d000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007578369c 2 bytes JMP 712d000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075783baa 6 bytes JMP 7169000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075783c61 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075786110 6 bytes JMP 716f000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007578612e 6 bytes JMP 715d000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075786c30 6 bytes {JMP QWORD [RIP+0x711d001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075787603 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075787668 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000757876e0 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007578781f 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007578835c 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007578c4b6 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007578c4ba 2 bytes [29, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007579c112 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007579d0f5 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007579eb96 6 bytes JMP 7136000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007579ec68 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007579ec6c 2 bytes [3B, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendInput 000000007579ff4a 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007579ff4e 2 bytes [3E, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000757b9f1d 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000757c1497 6 bytes {JMP QWORD [RIP+0x7114001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!mouse_event 00000000757d027b 6 bytes JMP 717b000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!keybd_event 00000000757d02bf 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000757d6cfc 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000757d6d5d 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!BlockInput 00000000757d7dd7 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000757d7ddb 2 bytes [26, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000757d88eb 3 bytes [FF, 25, 1E] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000757d88ef 2 bytes [32, 71] .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!DeleteDC 0000000076ee58b3 6 bytes JMP 7190000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076ee5ea6 6 bytes JMP 718a000a .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076ee7bcc 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000076eeb895 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!MaskBlt 0000000076eec332 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!GetPixel 0000000076eecbfb 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!CreateDCW 0000000076eee743 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\GDI32.dll!PlgBlt 0000000076f14857 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Users\Adam\Downloads\7cjti3lk.exe[732] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000756c124e 6 bytes {JMP QWORD [RIP+0x718c001e]} ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\AUDIODG.EXE [756:688] 000007fef4617acc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----