GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-09 22:46:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5002AALX-32Z3A0 rev.05.01D05 465,76GB Running: bn9i9386.exe; Driver: C:\Users\Jakub\AppData\Local\Temp\kxlyykog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Windows\system32\Dwm.exe[1644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 06] .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 4A] .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!PostMessageA 00000000776fa404 6 bytes {JMP QWORD [RIP+0x89c5c2c]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!SendMessageA 00000000776fd338 6 bytes {JMP QWORD [RIP+0x8982cf8]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!SendMessageW 0000000077706b50 6 bytes {JMP QWORD [RIP+0x89994e0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!PostMessageW 00000000777076e4 6 bytes {JMP QWORD [RIP+0x89d894c]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!mouse_event 0000000077713894 6 bytes JMP fbaf018f .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!SendInput 0000000077718cd0 6 bytes JMP ff3c003b .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\USER32.dll!keybd_event 00000000777645a4 6 bytes JMP faa305d0 .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fef8ee5cc0 6 bytes {JMP QWORD [RIP+0xd5a370]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fef8f62b30 6 bytes {JMP QWORD [RIP+0xc9d500]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fef8f716b8 6 bytes {JMP QWORD [RIP+0xcae978]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff373030 6 bytes {JMP QWORD [RIP+0x93d000]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff3745c1 5 bytes {JMP QWORD [RIP+0x8dba70]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WS2_32.dll!listen 000007feff378290 6 bytes {JMP QWORD [RIP+0x917da0]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff39e0f0 6 bytes {JMP QWORD [RIP+0x8d1f40]} .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb667b34 6 bytes JMP 1000ec6d .text C:\Windows\Explorer.EXE[1656] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb6703c0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes JMP 6d007800 .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes JMP e7000000 .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes JMP 680100 .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes JMP 57004100 .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 09] .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb955c8 6 bytes {JMP QWORD [RIP+0xfaa68]} .text C:\Windows\system32\taskhost.exe[2028] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefebab85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes CALL 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb667b34 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb6703c0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff373030 6 bytes {JMP QWORD [RIP+0x16d000]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff3745c1 5 bytes JMP c0c7cba8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WS2_32.dll!listen 000007feff378290 6 bytes {JMP QWORD [RIP+0x147da0]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2408] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff39e0f0 6 bytes JMP 7 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077062ab1 5 bytes JMP 00000001002a36f6 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71ae0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000770b575a 6 bytes JMP 73ee1b30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\WS2_32.dll!connect 00000000770b6bdd 6 bytes JMP 73ee1980 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\WS2_32.dll!listen 00000000770bb001 6 bytes JMP 73ee1a20 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000770bcc3f 6 bytes JMP 73ee19d0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770a1401 2 bytes JMP 76afb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770a1419 2 bytes JMP 76afb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770a1431 2 bytes JMP 76b78f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770a144a 2 bytes CALL 76ad489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770a14dd 2 bytes JMP 76b78822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770a14f5 2 bytes JMP 76b789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770a150d 2 bytes JMP 76b78718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770a1525 2 bytes JMP 76b78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770a153d 2 bytes JMP 76aefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770a1555 2 bytes JMP 76af68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770a156d 2 bytes JMP 76b78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770a1585 2 bytes JMP 76b78b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770a159d 2 bytes JMP 76b786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770a15b5 2 bytes JMP 76aefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770a15cd 2 bytes JMP 76afb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770a16b2 2 bytes JMP 76b78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770a16bd 2 bytes JMP 76b78671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[2780] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 06] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770a1401 2 bytes JMP 76afb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770a1419 2 bytes JMP 76afb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770a1431 2 bytes JMP 76b78f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770a144a 2 bytes CALL 76ad489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770a14dd 2 bytes JMP 76b78822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770a14f5 2 bytes JMP 76b789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770a150d 2 bytes JMP 76b78718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770a1525 2 bytes JMP 76b78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770a153d 2 bytes JMP 76aefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770a1555 2 bytes JMP 76af68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770a156d 2 bytes JMP 76b78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770a1585 2 bytes JMP 76b78b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770a159d 2 bytes JMP 76b786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770a15b5 2 bytes JMP 76aefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770a15cd 2 bytes JMP 76afb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770a16b2 2 bytes JMP 76b78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1476] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770a16bd 2 bytes JMP 76b78671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770a1401 2 bytes JMP 76afb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770a1419 2 bytes JMP 76afb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770a1431 2 bytes JMP 76b78f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770a144a 2 bytes CALL 76ad489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770a14dd 2 bytes JMP 76b78822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770a14f5 2 bytes JMP 76b789f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770a150d 2 bytes JMP 76b78718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770a1525 2 bytes JMP 76b78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770a153d 2 bytes JMP 76aefca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770a1555 2 bytes JMP 76af68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770a156d 2 bytes JMP 76b78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770a1585 2 bytes JMP 76b78b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770a159d 2 bytes JMP 76b786dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770a15b5 2 bytes JMP 76aefd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770a15cd 2 bytes JMP 76afb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770a16b2 2 bytes JMP 76b78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770a16bd 2 bytes JMP 76b78671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes CALL b03 .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb955c8 6 bytes {JMP QWORD [RIP+0xfaa68]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefebab85c 6 bytes {JMP QWORD [RIP+0xc47d4]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff373030 6 bytes {JMP QWORD [RIP+0x16d000]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff3745c1 5 bytes {JMP QWORD [RIP+0x10ba70]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WS2_32.dll!listen 000007feff378290 6 bytes {JMP QWORD [RIP+0x147da0]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff39e0f0 6 bytes {JMP QWORD [RIP+0x101f40]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb667b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Program Files\Logitech Gaming Software\LCore.exe[2376] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb6703c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71af0000 .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\WeiLiangHiFi\WeiLiangHiFiUSBAudio_Driver\WeiLiangHiFiAudioCpl.exe[4756] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Program Files\CCleaner\CCleaner64.exe[3752] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 08] .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes [FF, 25, 1E] .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes [77, 71] .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes [FF, 25, 1E] .text E:\Avast\AvastUI.exe[5712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes [67, 71] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ad8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes [FF, 25, 1E] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes [64, 71] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71af0000 .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes {JMP QWORD [RIP+0x7189001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes [FF, 25, 1E] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes [92, 71] .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes {JMP QWORD [RIP+0x7198001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes {JMP QWORD [RIP+0x7195001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes {JMP QWORD [RIP+0x717d001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes {JMP QWORD [RIP+0x7180001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000770b575a 6 bytes JMP 73ee1b30 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\WS2_32.dll!connect 00000000770b6bdd 6 bytes {JMP QWORD [RIP+0x71a4001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\WS2_32.dll!listen 00000000770bb001 6 bytes {JMP QWORD [RIP+0x719e001e]} .text E:\Avast\AvastUI.exe[5712] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000770bcc3f 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000770b575a 6 bytes JMP 73ee1b30 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\WS2_32.dll!connect 00000000770b6bdd 6 bytes JMP 73ee1980 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\WS2_32.dll!listen 00000000770bb001 6 bytes JMP 73ee1a20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000770bcc3f 6 bytes JMP 73ee19d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770a1401 2 bytes JMP 76afb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770a1419 2 bytes JMP 76afb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770a1431 2 bytes JMP 76b78f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770a144a 2 bytes CALL 76ad489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770a14dd 2 bytes JMP 76b78822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770a14f5 2 bytes JMP 76b789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770a150d 2 bytes JMP 76b78718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770a1525 2 bytes JMP 76b78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770a153d 2 bytes JMP 76aefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770a1555 2 bytes JMP 76af68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770a156d 2 bytes JMP 76b78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770a1585 2 bytes JMP 76b78b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770a159d 2 bytes JMP 76b786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770a15b5 2 bytes JMP 76aefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770a15cd 2 bytes JMP 76afb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770a16b2 2 bytes JMP 76b78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe[5748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770a16bd 2 bytes JMP 76b78671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5820] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 00000000770b575a 6 bytes JMP 73ee1b30 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\WS2_32.dll!connect 00000000770b6bdd 6 bytes JMP 73ee1980 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\WS2_32.dll!listen 00000000770bb001 6 bytes JMP 73ee1a20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000770bcc3f 6 bytes JMP 73ee19d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770a1401 2 bytes JMP 76afb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770a1419 2 bytes JMP 76afb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770a1431 2 bytes JMP 76b78f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770a144a 2 bytes CALL 76ad489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770a14dd 2 bytes JMP 76b78822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770a14f5 2 bytes JMP 76b789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770a150d 2 bytes JMP 76b78718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770a1525 2 bytes JMP 76b78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770a153d 2 bytes JMP 76aefca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770a1555 2 bytes JMP 76af68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770a156d 2 bytes JMP 76b78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770a1585 2 bytes JMP 76b78b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770a159d 2 bytes JMP 76b786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770a15b5 2 bytes JMP 76aefd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770a15cd 2 bytes JMP 76afb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770a16b2 2 bytes JMP 76b78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770a16bd 2 bytes JMP 76b78671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007795de30 6 bytes {JMP QWORD [RIP+0x8842200]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007795de40 6 bytes {JMP QWORD [RIP+0x88221f0]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007795df00 6 bytes {JMP QWORD [RIP+0x8802130]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007795e120 6 bytes {JMP QWORD [RIP+0x87e1f10]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007795e1d0 6 bytes {JMP QWORD [RIP+0x87a1e60]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007795e760 6 bytes {JMP QWORD [RIP+0x87c18d0]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007795f100 6 bytes {JMP QWORD [RIP+0x8860f30]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007780dbc0 6 bytes {JMP QWORD [RIP+0x89d2470]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 354 000007fefd81b022 3 bytes [E8, 4F, 06] .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007feff373030 6 bytes {JMP QWORD [RIP+0x16d000]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff3745c1 5 bytes {JMP QWORD [RIP+0x10ba70]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\WS2_32.dll!listen 000007feff378290 6 bytes {JMP QWORD [RIP+0x147da0]} .text C:\Windows\system32\wbem\unsecapp.exe[5992] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff39e0f0 6 bytes {JMP QWORD [RIP+0x101f40]} .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077b0fc1c 3 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 0000000077b0fc20 2 bytes JMP 73ee2790 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077b0fc34 3 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 0000000077b0fc38 2 bytes JMP 73ee2d70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077b0fd60 3 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077b0fd64 2 bytes JMP 73ee2d40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077b100b0 3 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077b100b4 2 bytes JMP 73ee2d10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077b101c0 3 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077b101c4 2 bytes JMP 73ee2540 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077b10a40 3 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077b10a44 2 bytes JMP 73ee2670 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b1191c 3 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077b11920 2 bytes JMP 73ee2ef0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076ae3bab 3 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076ae3baf 2 bytes JMP 73ee2f70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 499 0000000077062ca4 4 bytes CALL 71af0000 .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageW 00000000767c9679 6 bytes JMP 73ee1f50 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000767d12a5 6 bytes JMP 73ee20d0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!PostMessageA 00000000767d3baa 6 bytes JMP 73ee2010 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!SendMessageA 00000000767d612e 6 bytes JMP 73ee1e90 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!SendInput 00000000767eff4a 3 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000767eff4e 2 bytes JMP 73ee1e20 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!mouse_event 000000007682027b 6 bytes JMP 73ee1d60 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768202bf 6 bytes JMP 73ee1dc0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000771a70c4 6 bytes JMP 73ee2300 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Users\Jakub\Downloads\bn9i9386.exe[3304] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000771c3264 6 bytes JMP 73ee2220 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104ae94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800104ac38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104b654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800104ba50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104b8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feefac741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feefac5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feefac5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feefac5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feefac7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feefac6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feefac6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feefac7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feefac7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feefac78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feefac4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feefac5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3512] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feefac7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80066b12c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80066b12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80066b12c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80066b12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80066b12c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80066b12c0 Device \FileSystem\Ntfs \Ntfs fffffa80070972c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007c6d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007b562c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{32F846FD-34C3-4411-87AB-37EEBCFA7319} fffffa8007bd52c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007c6d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007c6d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007bd52c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80066b12c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007c6d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80066b12c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80066b12c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80066b12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80066b12c0]<< sptd.sys ataport.SYS pciide.sys fffffa80066b12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007861060] fffffa8007861060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80074ec580] fffffa80074ec580 Trace 5 ACPI.sys[fffff8800116f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80074ee060] fffffa80074ee060 Trace \Driver\atapi[0xfffffa800724c570] -> IRP_MJ_CREATE -> 0xfffffa80066b12c0 fffffa80066b12c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [1656:1608] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2740] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2744] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2748] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2752] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2756] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2760] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:2768] 000000000259ec20 Thread C:\Windows\Explorer.EXE [1656:4980] 000000000259ec20 Thread C:\Windows\system32\taskhost.exe [2888:6120] 00000000004946c0 Thread C:\Windows\system32\notepad.exe [3456:4984] 000000000031e9a0 Thread C:\Windows\system32\notepad.exe [3456:5756] 0000000002413390 Thread C:\Windows\system32\notepad.exe [3456:5844] 000000000243f534 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1656] (GG drive overlay/GG Network S.A.)(2012-08-04 16:46:21) 000000005c080000 Library C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\ddrawex.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1656] (Serial driver access DLL for Resource Manager/Brother Industries, Ltd.)(2016-02-01 21:42:42) 000007fef7040000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x48 0x03 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x48 0x03 0x23 ... ---- Files - GMER 2.1 ---- File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afcb 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afcc 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afcd 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afce 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd0 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd1 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd2 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd3 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd4 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd5 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd6 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd7 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd8 26870 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afd9 24428 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afda 26643 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afdb 26182 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afdc 25714 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afdd 28981 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afde 24956 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afdf 25910 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe0 24948 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe1 25509 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe2 27675 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe4 25955 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe5 26860 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe6 27299 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe7 22634 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe8 27745 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe9 26321 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afea 25759 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afeb 26284 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afec 23699 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afed 27693 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afee 27875 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afef 28535 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff0 24658 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff1 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff2 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff3 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff4 24735 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff5 25731 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff6 24402 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff8 22658 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff9 26317 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00affa 27000 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00affb 26591 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00affc 27506 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00affd 27783 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00affe 26342 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afff 25823 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00b008 177464 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afcf 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00afe3 28320 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00aff7 26442 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\163.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\164.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\165.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\166.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\177.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\178.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\179.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\17A.tmp 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\17B.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\17C.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\17D.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\18E.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\18F.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\190.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\191.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\192.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\193.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\194.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\195.tmp 0 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\196.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\197.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\198.tmp 28134 bytes File C:\Users\Jakub\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\199.tmp 28134 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\{CBD8C779-420B-4B41-876F-EC9E87CF757C} (0) - 3308 - officec2rclient.exe - OTele.dat 0 bytes ---- EOF - GMER 2.1 ----