GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-23 15:02:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_THNSNJ128G8NU rev.JUXA0102 119,24GB Running: v7l4j0p8.exe; Driver: C:\Users\MSI\AppData\Local\Temp\uxrirpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077acfae8 5 bytes JMP 0000000174062e30 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0078 5 bytes JMP 0000000174062df0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077211401 2 bytes JMP 7637b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077211419 2 bytes JMP 7637b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077211431 2 bytes JMP 763f8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007721144a 2 bytes CALL 76354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772114dd 2 bytes JMP 763f8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772114f5 2 bytes JMP 763f8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007721150d 2 bytes JMP 763f8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077211525 2 bytes JMP 763f8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007721153d 2 bytes JMP 7636fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077211555 2 bytes JMP 763768df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007721156d 2 bytes JMP 763f8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077211585 2 bytes JMP 763f8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007721159d 2 bytes JMP 763f86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772115b5 2 bytes JMP 7636fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772115cd 2 bytes JMP 7637b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772116b2 2 bytes JMP 763f8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772116bd 2 bytes JMP 763f8681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076d52ab1 5 bytes JMP 0000000100dbfa56 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077211401 2 bytes JMP 7637b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077211419 2 bytes JMP 7637b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077211431 2 bytes JMP 763f8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007721144a 2 bytes CALL 76354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772114dd 2 bytes JMP 763f8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772114f5 2 bytes JMP 763f8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007721150d 2 bytes JMP 763f8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077211525 2 bytes JMP 763f8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007721153d 2 bytes JMP 7636fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077211555 2 bytes JMP 763768df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007721156d 2 bytes JMP 763f8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077211585 2 bytes JMP 763f8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007721159d 2 bytes JMP 763f86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772115b5 2 bytes JMP 7636fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772115cd 2 bytes JMP 7637b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772116b2 2 bytes JMP 763f8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772116bd 2 bytes JMP 763f8681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077211401 2 bytes JMP 7637b20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077211419 2 bytes JMP 7637b336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077211431 2 bytes JMP 763f8f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007721144a 2 bytes CALL 76354885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772114dd 2 bytes JMP 763f8832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772114f5 2 bytes JMP 763f8a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007721150d 2 bytes JMP 763f8728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077211525 2 bytes JMP 763f8af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007721153d 2 bytes JMP 7636fc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077211555 2 bytes JMP 763768df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007721156d 2 bytes JMP 763f8ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077211585 2 bytes JMP 763f8b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007721159d 2 bytes JMP 763f86ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772115b5 2 bytes JMP 7636fd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772115cd 2 bytes JMP 7637b2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772116b2 2 bytes JMP 763f8eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Cinema 2\Sound Blaster Cinema 2\SBCinema2.exe[4624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772116bd 2 bytes JMP 763f8681 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe[4800] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CheckNDISPort_df.exe[5016] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\CancelAutoPlay_df.exe[5072] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077211401 2 bytes JMP 7637b20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077211419 2 bytes JMP 7637b336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077211431 2 bytes JMP 763f8f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007721144a 2 bytes CALL 76354885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772114dd 2 bytes JMP 763f8832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772114f5 2 bytes JMP 763f8a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007721150d 2 bytes JMP 763f8728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077211525 2 bytes JMP 763f8af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007721153d 2 bytes JMP 7636fc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077211555 2 bytes JMP 763768df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007721156d 2 bytes JMP 763f8ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077211585 2 bytes JMP 763f8b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007721159d 2 bytes JMP 763f86ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772115b5 2 bytes JMP 7636fd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772115cd 2 bytes JMP 7637b2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772116b2 2 bytes JMP 763f8eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772116bd 2 bytes JMP 763f8681 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077211401 2 bytes JMP 7637b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077211419 2 bytes JMP 7637b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077211431 2 bytes JMP 763f8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007721144a 2 bytes CALL 76354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772114dd 2 bytes JMP 763f8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772114f5 2 bytes JMP 763f8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007721150d 2 bytes JMP 763f8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077211525 2 bytes JMP 763f8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007721153d 2 bytes JMP 7636fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077211555 2 bytes JMP 763768df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007721156d 2 bytes JMP 763f8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077211585 2 bytes JMP 763f8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007721159d 2 bytes JMP 763f86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772115b5 2 bytes JMP 7636fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772115cd 2 bytes JMP 7637b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772116b2 2 bytes JMP 763f8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ZTE MF823\ShowTip.exe[5264] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772116bd 2 bytes JMP 763f8681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5296] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5664] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5720] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[5776] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\NOTEPAD.EXE[6600] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778d13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000778d1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778d18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000778d1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778d1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778d1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000778d1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000778d2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778d26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007791da80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007791dc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007791dc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007791dd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007791de00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007791e430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007791e680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007791eee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000753013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007530146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000753016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000753019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000753019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\MSI\Downloads\v7l4j0p8.exe[1584] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800214df58] \SystemRoot\system32\DRIVERS\klif.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef817741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8175f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8175674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8175e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8177f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8176a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8176ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8177b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8177ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef81778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8174fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8175d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2232] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8177584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [940:3972] 000007fef6549688 ---- Processes - GMER 2.1 ---- Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\Qt5Core.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:47:20) 0000000052680000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\Qt5Gui.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:48:40) 000007feddb30000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\Qt5Network.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:47:52) 0000000052560000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:50:40) 0000000052020000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\Qt5Sql.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:47:32) 0000000051fe0000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:51:48) 000007fedda00000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\sqldrivers\qsqlite.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:51:02) 000007fedd920000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\imageformats\qgif.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:51:18) 000007fedd8d0000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328] (C++ application development framework./The Qt Company Ltd)(2014-02-27 14:51:12) 000007fedd890000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ssleay32.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328](2014-06-05 13:48:20) 000007fedd5d0000 Library C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\LIBEAY32.dll (*** suspicious ***) @ C:\Users\MSI\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [4328](2014-06-05 13:48:20) 000007fedd420000 ---- EOF - GMER 2.1 ----