GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-06 12:44:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3200820AS rev.3.AAC 186,31GB Running: dqhvz4gw.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076b70b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076b76850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076b776d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076b77ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[432] C:\Windows\system32\USER32.dll!SendInput 0000000076b88cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076b70b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076b76850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076b776d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076b77ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\USER32.dll!SendInput 0000000076b88cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076b70b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076b76850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076b776d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076b77ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\csrss.exe[532] C:\Windows\system32\USER32.dll!SendInput 0000000076b88cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076b70b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076b76850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076b776d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076b77ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\services.exe[580] C:\Windows\system32\USER32.dll!SendInput 0000000076b88cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000076b70b60 10 bytes {MOV EAX, 0x339a9; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!IsDialogMessageW + 400 0000000076b76850 10 bytes {MOV EAX, 0x3395c; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000076b776d0 10 bytes {MOV EAX, 0x3392f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetScrollInfo + 380 0000000076b77ec0 10 bytes {MOV EAX, 0x33902; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SendInput 0000000076b88cd0 10 bytes {MOV EAX, 0x339d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\Dwm.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0xb37da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0xb3806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0xb362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0xb3716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0xb3832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0xb367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0xb36c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0xb387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0xb3762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0xb37ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0xb38d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\Explorer.EXE[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0xb38aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ad1401 2 bytes JMP 768db20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ad1419 2 bytes JMP 768db336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ad1431 2 bytes JMP 76958f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ad144a 2 bytes CALL 768b4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ad14dd 2 bytes JMP 76958832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ad14f5 2 bytes JMP 76958a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ad150d 2 bytes JMP 76958728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ad1525 2 bytes JMP 76958af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ad153d 2 bytes JMP 768cfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ad1555 2 bytes JMP 768d68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ad156d 2 bytes JMP 76958ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ad1585 2 bytes JMP 76958b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ad159d 2 bytes JMP 769586ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ad15b5 2 bytes JMP 768cfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ad15cd 2 bytes JMP 768db2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ad16b2 2 bytes JMP 76958eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Connectify\ConnectifyService.exe[1620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ad16bd 2 bytes JMP 76958681 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\user32.DLL!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ad1401 2 bytes JMP 768db20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ad1419 2 bytes JMP 768db336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ad1431 2 bytes JMP 76958f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ad144a 2 bytes CALL 768b4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ad14dd 2 bytes JMP 76958832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ad14f5 2 bytes JMP 76958a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ad150d 2 bytes JMP 76958728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ad1525 2 bytes JMP 76958af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ad153d 2 bytes JMP 768cfc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ad1555 2 bytes JMP 768d68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ad156d 2 bytes JMP 76958ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ad1585 2 bytes JMP 76958b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ad159d 2 bytes JMP 769586ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ad15b5 2 bytes JMP 768cfd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ad15cd 2 bytes JMP 768db2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ad16b2 2 bytes JMP 76958eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Admin\AppData\Local\Crsoft\crsvc.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ad16bd 2 bytes JMP 76958681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Connectify\ConnectifyD.exe[1736] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files\DrWeb\dwservice.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076dab630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe[1140] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxtray.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\hkcmd.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x1337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x133806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x13362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x133716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x133832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x13367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x1336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x13387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x133762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x1337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x1338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\System32\igfxpers.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x1338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\spideragent.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076dab630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\spideragent.exe[2112] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076c790a0 3 bytes [33, C0, C3] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\Feed Notifier\notifier.exe[2716] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\SearchIndexer.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[2864] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrInitializeThunk 0000000076f997f9 5 bytes JMP 0000000100073a64 .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ad1401 2 bytes JMP 768db20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ad1419 2 bytes JMP 768db336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ad1431 2 bytes JMP 76958f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ad144a 2 bytes CALL 768b4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ad14dd 2 bytes JMP 76958832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ad14f5 2 bytes JMP 76958a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ad150d 2 bytes JMP 76958728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ad1525 2 bytes JMP 76958af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ad153d 2 bytes JMP 768cfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ad1555 2 bytes JMP 768d68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ad156d 2 bytes JMP 76958ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ad1585 2 bytes JMP 76958b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ad159d 2 bytes JMP 769586ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ad15b5 2 bytes JMP 768cfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ad15cd 2 bytes JMP 768db2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ad16b2 2 bytes JMP 76958eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ad16bd 2 bytes JMP 76958681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076dab630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\DrWeb\dwnetfilter.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk 0000000076dab630 10 bytes {MOV EAX, 0x335c8; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1324] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 07] .text C:\Windows\SysWOW64\DllHost.exe[3768] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp[680] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 0B] .text C:\ProgramData\OWdsManProO\WdsManPro.exe[1200] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\SFK\SSFK.exe[3512] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Program Files (x86)\Connectify\ConnectifyNetServices.exe[3972] C:\Windows\syswow64\user32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp[3332] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dcda80 10 bytes {MOV EAX, 0x337da; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076dcdc50 10 bytes {MOV EAX, 0x33806; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdd50 10 bytes {MOV EAX, 0x3362f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dcde00 10 bytes {MOV EAX, 0x33716; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dcde50 10 bytes {MOV EAX, 0x33832; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dcde90 10 bytes {MOV EAX, 0x3367b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dce430 10 bytes {MOV EAX, 0x336c7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000076dce830 10 bytes {MOV EAX, 0x3387e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dcecc0 10 bytes {MOV EAX, 0x33762; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dceee0 10 bytes {MOV EAX, 0x337ae; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dcf0a0 10 bytes {MOV EAX, 0x338d6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 0000000076dcf0c0 10 bytes {MOV EAX, 0x338aa; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000076f80f19 3 bytes [5E, 3C, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000076f80f1d 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000076f81c55 3 bytes [8F, 3C, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000076f81c59 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000751472a5 3 bytes [53, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000751472a9 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075148be0 3 bytes [84, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075148be4 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 0000000075151286 3 bytes [22, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 000000007515128a 2 bytes {JMP RAX} .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007516ff4b 3 bytes [B5, 3D, 1B] .text C:\Users\Admin\Desktop\dqhvz4gw.exe[5048] C:\Windows\syswow64\USER32.dll!SendInput + 5 000000007516ff4f 2 bytes {JMP RAX} ---- Processes - GMER 2.1 ---- Process C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsvD819.tmp [680](2015-07-23 10:30:14 0000000000400000 Process C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332](2015-10-06 09:43: 0000000000400000 Library C:\Users\Admin\AppData\Local\Temp\nsfE15A.tmp\System.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332](2015-10-06 09:43:08) 0000000010000000 Library C:\Users\Admin\AppData\Local\Temp\nsfE15A.tmp\nsDialogs.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332](2015-10-06 09:43:09) 0000000000370000 Library C:\Users\Admin\AppData\Local\Temp\nsfE15A.tmp\registry.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332](2015-10-06 09:43:09) 0000000002bb0000 Library C:\Users\Admin\AppData\Local\Temp\nsfE15A.tmp\Math.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332] 00000000008d0000 Library C:\Users\Admin\AppData\Local\Temp\nsfE15A.tmp\nsCBHTML5.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Local\Temp\nsuD646.tmp [3332](2015-10-06 09:43:14) 0000000000b00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 40003 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9869 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0xC5 0x2E 0xFB 0x8F ... ---- EOF - GMER 2.1 ----