GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-16 16:22:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD3200AAKS-00L9A0 rev.01.03E01 298,09GB Running: w0u4n7jb.exe; Driver: C:\Users\Soku\AppData\Local\Temp\aftcraog.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750e1465 2 bytes [0E, 75] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750e14bb 2 bytes [0E, 75] .text ... * 2 .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007722f991 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 000000007722f99b 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007722fbd5 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 000000007722fbdf 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007722fc05 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 000000007722fc0f 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007722fc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 000000007722fc27 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007722fc35 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 000000007722fc3f 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007722fc65 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 000000007722fc6f 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007722fce5 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 000000007722fcef 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007722fcfd 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 000000007722fd07 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007722fd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 000000007722fd53 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007722fe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 000000007722fe4b 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077230099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000772300a3 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772310a5 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000772310af 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007723111d 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077231127 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077231321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 000000007723132b 1 byte [90] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750e1465 2 bytes [0E, 75] .text C:\Users\Soku\AppData\Local\Pokki\v0.260.10.204\pokki.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750e14bb 2 bytes [0E, 75] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750e1465 2 bytes [0E, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750e14bb 2 bytes [0E, 75] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007722f991 8 bytes {MOV EDX, 0x1903e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 000000007722f99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007722fa0d 8 bytes {MOV EDX, 0x1901a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 000000007722fa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007722fb25 8 bytes {MOV EDX, 0x190168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 000000007722fb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007722fbd5 8 bytes {MOV EDX, 0x190428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 000000007722fbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007722fc05 8 bytes {MOV EDX, 0x190368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 000000007722fc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007722fc1d 8 bytes {MOV EDX, 0x190128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 000000007722fc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007722fc35 8 bytes {MOV EDX, 0x1904e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 000000007722fc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007722fc65 8 bytes {MOV EDX, 0x190528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 000000007722fc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007722fce5 8 bytes {MOV EDX, 0x1904a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 000000007722fcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007722fcfd 8 bytes {MOV EDX, 0x190468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 000000007722fd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007722fd49 8 bytes {MOV EDX, 0x190068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 000000007722fd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 000000007722fdad 8 bytes {MOV EDX, 0x1902e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 000000007722fdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007722fe41 8 bytes {MOV EDX, 0x1900a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 000000007722fe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007722ff89 8 bytes {MOV EDX, 0x1902a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 000000007722ff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077230099 8 bytes {MOV EDX, 0x190028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000772300a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000077230781 8 bytes {MOV EDX, 0x190268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 000000007723078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077230ffd 8 bytes {MOV EDX, 0x1901e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000077231007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 000000007723105d 8 bytes {MOV EDX, 0x190228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000077231067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772310a5 8 bytes {MOV EDX, 0x1903a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000772310af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007723111d 8 bytes {MOV EDX, 0x190328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077231127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077231321 8 bytes {MOV EDX, 0x1900e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 000000007723132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007510103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075101072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 0000000074f8119f 5 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 0000000074f811cf 5 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 0000000076484de0 5 bytes JMP 00000001001b03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SelectObject 0000000076484f70 5 bytes JMP 00000001001b05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetBkMode 00000000764851a2 5 bytes JMP 00000001001b08f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetTextColor 000000007648522d 5 bytes JMP 00000001001b0a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!DeleteObject 0000000076485689 5 bytes JMP 00000001001b01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000764858b3 5 bytes JMP 00000001001b0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 0000000076486bad 5 bytes JMP 00000001001b0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SaveDC 0000000076486e05 5 bytes JMP 00000001001b0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!RestoreDC 0000000076486ead 5 bytes JMP 00000001001b0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 0000000076487180 5 bytes JMP 00000001001b06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!StretchDIBits 0000000076487435 5 bytes JMP 00000001001b0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076487bcc 5 bytes JMP 00000001001b00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 0000000076487dc4 5 bytes JMP 00000001001b03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextAlign 0000000076487fd5 5 bytes JMP 00000001001b0d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 00000000764882b2 5 bytes JMP 00000001001b0e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetTextAlign 0000000076488401 5 bytes JMP 00000001001b09f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 000000007648879f 5 bytes JMP 00000001001b02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 0000000076488916 5 bytes JMP 00000001001b05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000076488b7a 5 bytes JMP 00000001001b0970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!MoveToEx 0000000076488ee6 5 bytes JMP 00000001001b0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetFontData 0000000076489875 5 bytes JMP 00000001001b0c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 0000000076489936 5 bytes JMP 00000001001b0d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!Rectangle 000000007648a53a 5 bytes JMP 00000001001b09b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetClipBox 000000007648af9f 5 bytes JMP 00000001001b0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!LineTo 000000007648b9e5 5 bytes JMP 00000001001b0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetICMMode 000000007648bd55 5 bytes JMP 00000001001b0db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!CreateICW 000000007648c040 5 bytes JMP 00000001001b0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 000000007648c107 5 bytes JMP 00000001001b0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 000000007648c269 5 bytes JMP 00000001001b06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 000000007648d1f1 5 bytes JMP 00000001001b0df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 000000007648d349 5 bytes JMP 00000001001b0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 000000007648dce4 5 bytes JMP 00000001001b0930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007648e743 5 bytes JMP 00000001001b00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!ExtEscape 00000000764903b7 5 bytes JMP 00000001001b02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!Escape 0000000076491bda 5 bytes JMP 00000001001b0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 0000000076491e89 5 bytes JMP 00000001001b0cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 0000000076494843 5 bytes JMP 00000001001b0b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 0000000076495690 5 bytes JMP 00000001001b0b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!EndPage 0000000076496bde 5 bytes JMP 00000001001b0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!ResetDCW 000000007649e2db 5 bytes JMP 00000001001b0ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 00000000764a940d 5 bytes JMP 00000001001b0cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 00000000764ac621 5 bytes JMP 00000001001b0bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 00000000764ad2b2 5 bytes JMP 00000001001b0bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 00000000764ad919 5 bytes JMP 00000001001b0c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!AbortDoc 00000000764b3adc 5 bytes JMP 00000001001b0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!EndDoc 00000000764b3f29 5 bytes JMP 00000001001b01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!StartPage 00000000764b401a 5 bytes JMP 00000001001b0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!StartDocW 00000000764b4c51 5 bytes JMP 00000001001b07f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!BeginPath 00000000764b53fd 5 bytes JMP 00000001001b0830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!SelectClipPath 00000000764b5454 5 bytes JMP 00000001001b0af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!CloseFigure 00000000764b54af 5 bytes JMP 00000001001b0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!EndPath 00000000764b5506 5 bytes JMP 00000001001b0a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!StrokePath 00000000764b573f 5 bytes JMP 00000001001b07b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!FillPath 00000000764b57d2 5 bytes JMP 00000001001b0870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!PolylineTo 00000000764b5c44 5 bytes JMP 00000001001b04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 00000000764b5cd5 5 bytes JMP 00000001001b04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\GDI32.dll!PolyDraw 00000000764b5d87 5 bytes JMP 00000001001b08b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!MapWindowPoints 000000007652819d 5 bytes JMP 00000001001c0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 000000007652c55d 5 bytes JMP 00000001001c02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000765305ff 5 bytes JMP 00000001001c02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClientRect 00000000765308e5 7 bytes JMP 00000001001c05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetParent 0000000076530b0e 7 bytes JMP 00000001001c06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!IsWindowVisible 0000000076530cd5 7 bytes JMP 00000001001c06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076530f14 5 bytes JMP 00000001001c05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!MonitorFromWindow 00000000765327db 7 bytes JMP 00000001001c0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!ScreenToClient 000000007653361b 7 bytes JMP 00000001001c0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!SetCursor 0000000076534076 5 bytes JMP 00000001001c0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetTopWindow 0000000076537a54 7 bytes JMP 00000001001c0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!IsClipboardFormatAvailable 00000000765387c9 5 bytes JMP 00000001001c00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardSequenceNumber 00000000765387e9 5 bytes JMP 00000001001c0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!CloseClipboard 00000000765391f4 5 bytes JMP 00000001001c00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!OpenClipboard 0000000076539232 5 bytes JMP 00000001001c0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!ActivateKeyboardLayout 0000000076539485 5 bytes JMP 00000001001c04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!EnumClipboardFormats 000000007653b779 5 bytes JMP 00000001001c01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetOpenClipboardWindow 000000007653b798 5 bytes JMP 00000001001c03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!CountClipboardFormats 000000007653b7b6 5 bytes JMP 00000001001c01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007653b7e6 5 bytes JMP 00000001001c04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardOwner 000000007653cee9 5 bytes JMP 00000001001c0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameW 0000000076540880 5 bytes JMP 00000001001c0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain 000000007654ec67 5 bytes JMP 00000001001c0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameA 000000007654f66f 5 bytes JMP 00000001001c0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076568de7 5 bytes JMP 00000001001c0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076569c8d 5 bytes JMP 00000001001c0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076569f3b 5 bytes JMP 00000001001c0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!EmptyClipboard 0000000076587e49 5 bytes JMP 00000001001c0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetClipboardViewer 00000000765882a1 5 bytes JMP 00000001001c0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\USER32.dll!GetPriorityClipboardFormat 00000000765884bf 5 bytes JMP 00000001001c03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000074909606 5 bytes JMP 00000001001d00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 0000000074910581 3 bytes JMP 00000001001d0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle + 4 0000000074910585 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 0000000074910bb9 3 bytes JMP 00000001001d0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext + 4 0000000074910bbd 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 0000000074910c2e 3 bytes JMP 00000001001d01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken + 4 0000000074910c32 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 0000000074910f2e 3 bytes JMP 00000001001d0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA + 4 0000000074910f32 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 0000000074911096 3 bytes JMP 00000001001d00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA + 4 000000007491109a 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 000000007491124e 3 bytes JMP 00000001001d01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!EncryptMessage + 4 0000000074911252 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 000000007491129d 3 bytes JMP 00000001001d0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!DecryptMessage + 4 00000000749112a1 1 byte [8B] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 0000000074911527 3 bytes JMP 00000001001d0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA + 4 000000007491152b 1 byte {JMP 0xffffffffffffff8d} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 0000000074911590 3 bytes JMP 00000001001d0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA + 4 0000000074911594 1 byte {JMP 0xffffffffffffff8d} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\ole32.dll!OleSetClipboard 00000000752c0045 5 bytes JMP 00000001001e0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 00000000752c36b2 5 bytes JMP 00000001001e0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\ole32.dll!OleGetClipboard 00000000752efdcd 5 bytes JMP 00000001001e00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750e1465 2 bytes [0E, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750e14bb 2 bytes [0E, 75] .text ... * 2 .text C:\Users\Soku\Downloads\OTL.exe[1296] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000750e1465 2 bytes [0E, 75] .text C:\Users\Soku\Downloads\OTL.exe[1296] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000750e14bb 2 bytes [0E, 75] .text ... * 2 ---- Files - GMER 2.1 ---- File C:\Users\Soku\AppData\Roaming\Microsoft\Windows\Recent\The.Borgias.S02E02.HDTV.x264-ASAP.lnk 683 bytes ---- EOF - GMER 2.1 ----