GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-26 14:38:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-7 WDC_WD5000AAKS-00V1A0 rev.05.01D05 465,76GB Running: brx8k4d7.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe3b2e28 10 bytes {JMP QWORD [RIP-0x42de6]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefcf950a0 7 bytes {JMP QWORD [RIP+0x13db212]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\SspiCli.dll!DecryptMessage 000007fefcf951f4 7 bytes {JMP QWORD [RIP+0x13db0ee]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 10 bytes {JMP QWORD [RIP+0xbbede2]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 8 bytes {JMP QWORD [RIP+0xbbe7f2]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 10 bytes {JMP QWORD [RIP+0xbbdf62]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 6 bytes {JMP QWORD [RIP+0xbbbab2]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 10 bytes {JMP QWORD [RIP+0xbb8102]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 7 bytes {JMP QWORD [RIP+0xbb2a32]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 10 bytes {JMP QWORD [RIP+0xbb21f2]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 7 bytes {JMP QWORD [RIP+0xbb1662]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 10 bytes {JMP QWORD [RIP+0xbb1532]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSAGetOverlappedResult 000007fefd7d7a50 7 bytes {JMP QWORD [RIP+0xb98772]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 7 bytes {JMP QWORD [RIP+0xb91fb2]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 7 bytes {JMP QWORD [RIP+0xb91b92]} .text C:\Windows\system32\taskeng.exe[1864] C:\Windows\system32\WININET.dll!UnlockUrlCacheEntryFile 000007fefe73b670 10 bytes {JMP QWORD [RIP-0x3cb35e]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 10 bytes {JMP QWORD [RIP+0xbbede2]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 8 bytes {JMP QWORD [RIP+0xbbe7f2]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 10 bytes {JMP QWORD [RIP+0xbbdf62]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 6 bytes {JMP QWORD [RIP+0xbbbab2]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 10 bytes {JMP QWORD [RIP+0xbb8102]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 7 bytes {JMP QWORD [RIP+0xbb2a32]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 10 bytes {JMP QWORD [RIP+0xbb21f2]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 7 bytes {JMP QWORD [RIP+0xbb1662]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 10 bytes {JMP QWORD [RIP+0xbb1532]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSAGetOverlappedResult 000007fefd7d7a50 7 bytes {JMP QWORD [RIP+0xb98772]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 7 bytes {JMP QWORD [RIP+0xb91fb2]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 7 bytes {JMP QWORD [RIP+0xb91b92]} .text C:\Windows\system32\Dwm.exe[1912] C:\Windows\system32\WININET.dll!UnlockUrlCacheEntryFile 000007fefe73b670 10 bytes {JMP QWORD [RIP-0x3cb35e]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\kernel32.dll!GetQueuedCompletionStatus 00000000772b99f0 8 bytes {JMP QWORD [RIP-0x172b99ae]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000772d0670 12 bytes {JMP QWORD [RIP-0x172d05fe]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007fefe864f4c 10 bytes {JMP QWORD [RIP-0x4f4c0a]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe3b2e28 10 bytes {JMP QWORD [RIP-0x42de6]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefcf950a0 7 bytes {JMP QWORD [RIP+0x13db212]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\SSPICLI.DLL!DecryptMessage 000007fefcf951f4 7 bytes {JMP QWORD [RIP+0x13db0ee]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WININET.dll!UnlockUrlCacheEntryFile 000007fefe73b670 10 bytes {JMP QWORD [RIP-0x3cb35e]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 10 bytes {JMP QWORD [RIP+0xbbede2]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 8 bytes {JMP QWORD [RIP+0xbbe7f2]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 10 bytes {JMP QWORD [RIP+0xbbdf62]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 6 bytes {JMP QWORD [RIP+0xbbbab2]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 10 bytes {JMP QWORD [RIP+0xbb8102]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 7 bytes {JMP QWORD [RIP+0xbb2a32]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 10 bytes {JMP QWORD [RIP+0xbb21f2]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 7 bytes {JMP QWORD [RIP+0xbb1662]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 10 bytes {JMP QWORD [RIP+0xbb1532]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSAGetOverlappedResult 000007fefd7d7a50 7 bytes {JMP QWORD [RIP+0xb98772]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 7 bytes {JMP QWORD [RIP+0xb91fb2]} .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 7 bytes {JMP QWORD [RIP+0xb91b92]} .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ba103d 5 bytes JMP 00000000100645e3 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\kernel32.dll!GetQueuedCompletionStatus 0000000076bbd383 5 bytes JMP 000000001006056f .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!RegSetValueExW 0000000075471436 5 bytes JMP 000000001005661e .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\ADVAPI32.dll!RegQueryValueExW 0000000075474615 5 bytes JMP 000000001005658b .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f4124e 5 bytes JMP 00000000100662e2 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 0000000074f4129d 5 bytes JMP 000000001005ffb0 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\SHELL32.dll!ShellExecuteExW 0000000075831e7d 5 bytes JMP 0000000010057f87 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765454ad 5 bytes JMP 0000000010043cee .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750834b5 5 bytes JMP 000000001006087e .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075083918 5 bytes JMP 000000001005fa6f .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075084406 5 bytes JMP 000000001006649b .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!recv 0000000075086b0e 5 bytes JMP 00000000100602d1 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!connect 0000000075086bdd 5 bytes JMP 000000001005f4d7 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!send 0000000075086f01 5 bytes JMP 0000000010065620 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075087089 5 bytes JMP 0000000010062935 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000075087489 5 bytes JMP 00000000100603db .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007508b6dc 5 bytes JMP 0000000010060743 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007508cba6 5 bytes JMP 0000000010062ac5 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007508cc3f 5 bytes JMP 000000001005f8ae .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007509b30c 5 bytes JMP 0000000010062c84 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\WININET.dll!UnlockUrlCacheEntryFile 0000000076a93790 5 bytes JMP 0000000010061345 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ba103d 5 bytes JMP 00000000100645e3 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\kernel32.dll!GetQueuedCompletionStatus 0000000076bbd383 5 bytes JMP 000000001006056f .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\ADVAPI32.dll!RegSetValueExW 0000000075471436 5 bytes JMP 000000001005661e .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\ADVAPI32.dll!RegQueryValueExW 0000000075474615 5 bytes JMP 000000001005658b .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f4124e 5 bytes JMP 00000000100662e2 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 0000000074f4129d 5 bytes JMP 000000001005ffb0 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765454ad 5 bytes JMP 0000000010043cee .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\SHELL32.dll!ShellExecuteExW 0000000075831e7d 5 bytes JMP 0000000010057f87 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750834b5 5 bytes JMP 000000001006087e .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075083918 5 bytes JMP 000000001005fa6f .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075084406 5 bytes JMP 000000001006649b .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!recv 0000000075086b0e 5 bytes JMP 00000000100602d1 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!connect 0000000075086bdd 5 bytes JMP 000000001005f4d7 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!send 0000000075086f01 5 bytes JMP 0000000010065620 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075087089 5 bytes JMP 0000000010062935 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000075087489 5 bytes JMP 00000000100603db .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007508b6dc 5 bytes JMP 0000000010060743 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007508cba6 5 bytes JMP 0000000010062ac5 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007508cc3f 5 bytes JMP 000000001005f8ae .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007509b30c 5 bytes JMP 0000000010062c84 .text C:\Program Files\ByteFence\rtop\bin\rtop_bg.exe[2472] C:\Windows\syswow64\WININET.dll!UnlockUrlCacheEntryFile 0000000076a93790 5 bytes JMP 0000000010061345 .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PremierOpinion\pmropn.exe[1164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\PREMIE~1\pmropn32.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ba103d 5 bytes JMP 00000000100645e3 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\kernel32.dll!GetQueuedCompletionStatus 0000000076bbd383 5 bytes JMP 000000001006056f .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\ADVAPI32.dll!RegSetValueExW 0000000075471436 5 bytes JMP 000000001005661e .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\ADVAPI32.dll!RegQueryValueExW 0000000075474615 5 bytes JMP 000000001005658b .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074f4124e 5 bytes JMP 00000000100662e2 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 0000000074f4129d 5 bytes JMP 000000001005ffb0 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750834b5 5 bytes JMP 000000001006087e .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075083918 5 bytes JMP 000000001005fa6f .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075084406 5 bytes JMP 000000001006649b .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!recv 0000000075086b0e 5 bytes JMP 00000000100602d1 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!connect 0000000075086bdd 5 bytes JMP 000000001005f4d7 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!send 0000000075086f01 5 bytes JMP 0000000010065620 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075087089 5 bytes JMP 0000000010062935 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000075087489 5 bytes JMP 00000000100603db .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007508b6dc 5 bytes JMP 0000000010060743 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007508cba6 5 bytes JMP 0000000010062ac5 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007508cc3f 5 bytes JMP 000000001005f8ae .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007509b30c 5 bytes JMP 0000000010062c84 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765454ad 5 bytes JMP 0000000010043cee .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\WININET.dll!UnlockUrlCacheEntryFile 0000000076a93790 5 bytes JMP 0000000010061345 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075521401 2 bytes JMP 76bcb20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075521419 2 bytes JMP 76bcb336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075521431 2 bytes JMP 76c48f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007552144a 2 bytes CALL 76ba4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755214dd 2 bytes JMP 76c48832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755214f5 2 bytes JMP 76c48a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007552150d 2 bytes JMP 76c48728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075521525 2 bytes JMP 76c48af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007552153d 2 bytes JMP 76bbfc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075521555 2 bytes JMP 76bc68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007552156d 2 bytes JMP 76c48ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075521585 2 bytes JMP 76c48b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007552159d 2 bytes JMP 76c486ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755215b5 2 bytes JMP 76bbfd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755215cd 2 bytes JMP 76bcb2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755216b2 2 bytes JMP 76c48eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755216bd 2 bytes JMP 76c48681 C:\Windows\syswow64\kernel32.dll .text C:\Users\Adam\Downloads\antywirusy\brx8k4d7.exe[3440] C:\Windows\syswow64\shell32.dll!ShellExecuteExW 0000000075831e7d 5 bytes JMP 0000000010057f87 ---- EOF - GMER 2.2 ----