GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-18 20:35:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: 8dc95q89.exe; Driver: C:\Users\Rostov\AppData\Local\Temp\kfrdypob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 7642b233 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 7642b35e C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 764a9149 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 76404885 C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 764a8a42 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 764a8c18 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 764a8938 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 764a8d02 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 7641fcc0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 76426907 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 764a9201 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 764a8d62 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 764a88fc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 7641fd59 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 7642b2f4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 764a90c4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1884] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 764a8891 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [7B, F0, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, 7B, F0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 7642b233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075471419 2 bytes JMP 7642b35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075471431 2 bytes JMP 764a9149 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007547144a 2 bytes CALL 76404885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 764a8a42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 764a8c18 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 764a8938 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 764a8d02 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 7641fcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075471555 2 bytes JMP 76426907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 764a9201 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 764a8d62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 764a88fc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 7641fd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 7642b2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 764a90c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hot Keyboard Pro\HotKeyb.exe[3928] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 764a8891 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [CB, ED, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, CB, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\kernel32.dll!CreateThread + 28 0000000076403491 4 bytes {CALL 0xffffffff8a0a48cc} .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 7642b233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 7642b35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 764a9149 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 76404885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 764a8a42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 764a8c18 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 764a8938 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 764a8d02 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 7641fcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 76426907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 764a9201 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 764a8d62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 764a88fc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 7641fd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 7642b2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 764a90c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PopTrayU\PopTrayU.exe[4240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 764a8891 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [7B, F1, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, 7B, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4364] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [5B, F2, 7E, 00, 00, 00, 00] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, 5B, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1416] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, AB, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes {STOSD ; JMP 0x81} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, AB, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes {JO 0xffffffffffffffad; JMP 0x82} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, AB, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes {PUSH RAX; STOSD ; JMP 0x82} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes {STOSD ; JMP 0x82} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, AB, EB, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3288] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [4B, F2, FF, 00, 00, 00, 00] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, 4B, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3248] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077851234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778512df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077851434 8 bytes [A0, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000778517bf 7 bytes [9B, F3, 7E, 00, 00, 00, 00] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000778519c4 8 bytes [80, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077851aa4 8 bytes [70, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077851c25 8 bytes [60, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077851d8f 8 bytes [50, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077851e75 8 bytes [40, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778520d8 8 bytes [30, 9B, F3, 7E, 00, 00, 00, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789bc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007789bd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007789bdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789bed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007789bf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789c5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789c800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789d060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ae13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ae146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ae16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ae19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ae19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Rostov\Desktop\8dc95q89.exe[3192] C:\windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ae1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004929ad8] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6427370fcc96 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38d054a8 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6427370fcc96 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38d054a8 (not active ControlSet) ---- EOF - GMER 2.2 ----