GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-05 21:11:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3200820AS rev.3.AAC 186,31GB Running: dqhvz4gw.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076c20b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076c26850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076c276d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076c27ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SendInput 0000000076c38cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076c20b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076c26850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076c276d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076c27ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\USER32.dll!SendInput 0000000076c38cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076c20b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076c26850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076c276d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076c27ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[592] C:\Windows\system32\USER32.dll!SendInput 0000000076c38cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076c20b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076c26850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076c276d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076c27ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[616] C:\Windows\system32\USER32.dll!SendInput 0000000076c38cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076c20b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076c26850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076c276d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076c27ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[656] C:\Windows\system32\USER32.dll!SendInput 0000000076c38cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\ProgramData\9WinManPro9\ProtectWindowsManager.exe[1160] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\dwservice.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076e5b630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1804] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1156] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2204] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files\DrWeb\spideragent.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076e5b630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\spideragent.exe[2656] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076d290a0 3 bytes [33, C0, C3] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2808] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[428] C:\Windows\SysWOW64\ntdll.dll!LdrInitializeThunk 00000000770497f9 5 bytes JMP 00000001000b3a64 .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[204] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076e5b630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\dwnetfilter.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076e5b630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3272] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 0B] .text C:\Program Files (x86)\Connectify\Connectify.exe[3332] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp[4236] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\knsu8B90.tmpfs[4200] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\jnskA760.tmp[4604] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\hnsaBF84.tmp[4680] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1D] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\user32.DLL!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-10.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\CinemaP-1.9cV05.10\a929e9f6-b235-4ae4-b8e7-591c45f1670d-1-6.exe[4652] C:\Windows\syswow64\user32.DLL!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 2B] .text C:\Users\Admin\Desktop\Prompt Downloader\PromptDownloader.exe[1524] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\WordWizard_1.10.0.24\Service\wwsvc.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0xb37da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0xb3806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0xb362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0xb3716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0xb3832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0xb367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0xb36c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0xb387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0xb3762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0xb37ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0xb38d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0xb38aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Windows\SysWOW64\ctfmon.exe[5088] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\Web Amplified\bin\utilWebAmplified.exe[6052] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp[4820] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074e91401 2 bytes JMP 000000010579a47a .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074e91419 2 bytes JMP 000000010579a492 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074e91431 2 bytes JMP 000000010579a4aa .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074e9144a 2 bytes JMP 0000000074f5fcc3 .text ... * 9 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074e914dd 2 bytes JMP 000000010579a556 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074e914f5 2 bytes JMP 000000010579a56e .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074e9150d 2 bytes JMP 000000010579a586 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074e91525 2 bytes JMP 000000010579a59e .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074e9153d 2 bytes JMP 000000010579a5b6 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074e91555 2 bytes JMP 000000010579a5ce .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074e9156d 2 bytes JMP 000000010579a5e6 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074e91585 2 bytes JMP 000000010579a5fe .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074e9159d 2 bytes JMP 000000010579a616 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074e915b5 2 bytes JMP 000000010579a62e .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074e915cd 2 bytes JMP 000000015b37ce46 .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074e916b2 2 bytes JMP 000000010579a72b .text C:\Program Files (x86)\Web Amplified\bin\WebAmplified.expext.exe[5344] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074e916bd 2 bytes JMP 000000010579a736 .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\CinemaPlus-3.2cV05.10\6055b7eb-df8d-4281-afd8-560810fc40d7-1-6.exe[6068] C:\Windows\syswow64\user32.DLL!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Web Amplified\updateWebAmplified.exe[2480] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[5332] C:\Windows\syswow64\user32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[5708] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 07] .text C:\ProgramData\tWdsManProt\WdsManPro.exe[4696] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[1844] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[5572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076e7da80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076e7dc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e7dd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076e7de00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e7de50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e7de90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e7e430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076e7e830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e7ecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e7eee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e7f0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076e7f0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077030f19 3 bytes [5E, 3C, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077030f1d 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077031c55 3 bytes [8F, 3C, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077031c59 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000753572a5 3 bytes [53, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000753572a9 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075358be0 3 bytes [84, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075358be4 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075361286 3 bytes [22, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007536128a 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007537ff4b 3 bytes [B5, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[6336] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007537ff4f 2 bytes {JMP RAX} ---- Processes - GMER 2.1 ---- Library C:\Users\Admin\AppData\Local\Temp\nsu8439.tmp\System.dll (*** suspicious ***) @ C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp [4236] 0000000010000000 Library C:\Users\Admin\AppData\Local\Temp\nsu8439.tmp\IpConfig.dll (*** suspicious ***) @ C:\Program Files (x86)\27DAD760-1444063731-11D9-BB64-5404A6A214B1\vnsk752C.tmp [4236] 0000000001710000 Process C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820](2015-10-05 17:02: 0000000000400000 Library C:\Users\Admin\AppData\Local\Temp\nsk8D2D.tmp\System.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820](2015-10-05 17:02:04) 0000000010000000 Library C:\Users\Admin\AppData\Local\Temp\nsk8D2D.tmp\nsDialogs.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820](2015-10-05 17:02:04) 00000000002e0000 Library C:\Users\Admin\AppData\Local\Temp\nsk8D2D.tmp\registry.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820](2015-10-05 17:02:04) 0000000000d30000 Library C:\Users\Admin\AppData\Local\Temp\nsk8D2D.tmp\Math.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820] 00000000007c0000 Library C:\Users\Admin\AppData\Local\Temp\nsk8D2D.tmp\nsCBHTML5.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsf8107.tmp [4820](2015-10-05 17:02:13) 00000000040b0000 ---- Services - GMER 2.1 ---- Service system32\drivers\E07249B.sys (*** hidden *** ) [BOOT] E07249B <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\BITS Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B@Group System Reserved Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B@ImagePath system32\drivers\E07249B.sys Reg HKLM\SYSTEM\CurrentControlSet\services\E07249B Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 39880 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9839 ---- EOF - GMER 2.1 ----