GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-09 19:19:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006d KINGSTON rev.505A 111,79GB Running: jhhqsltw.exe; Driver: C:\Users\BASS\AppData\Local\Temp\aftcyaoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AssistTools\WiFi GO! Server.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c41465 2 bytes [C4, 74] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AssistTools\WiFi GO! Server.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c414bb 2 bytes [C4, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074df2aa4 5 bytes JMP 00000000012e8d78 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007717fa98 5 bytes JMP 0000000072112f50 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077180028 5 bytes JMP 0000000072112f10 .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 4E, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 4D, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 4D, ED, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[2880] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 1E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 1D, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 1D, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe[6044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 4D, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 4D, F2, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c41465 2 bytes [C4, 74] .text C:\Program Files (x86)\ASUS\AI Suite II\Remote GO!\AsDLNAServerReal.exe[5208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c414bb 2 bytes [C4, 74] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 9E, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 9D, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 9D, ED, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes JMP 49484746 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 6E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 6D, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 6D, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes JMP 49484746 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5376] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 9E, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 9D, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 9D, F4, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[116] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 4E, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 4D, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 4D, F2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes JMP 49484746 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes JMP 0 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6716] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 5E, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 5D, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 5D, EC, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes JMP 49484746 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[1360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 1E, E9, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 1E, E9, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes {XOR [RSI], BL; JMP 0x106} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes {AND [RSI], BL; JMP 0x106} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes {ADC [RSI], BL; JMP 0x106} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes {ADD [RSI], BL; JMP 0x106} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 1D, E9, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes {LOOPNZ 0x1f; JMP 0x106} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes JMP 74fe12 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes JMP 49484746 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes JMP 0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe[6148] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000076f81398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f8143f 8 bytes [50, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076f81594 8 bytes [40, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f8191e 8 bytes [30, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076f81bf8 8 bytes [20, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f81d75 8 bytes [10, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f81edf 8 bytes [00, 1E, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076f81fc5 8 bytes [F0, 1D, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f827b0 8 bytes [E0, 1D, F1, 7E, 00, 00, 00, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076fd13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076fd1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fd1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fd16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fd1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fd1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076fd1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fd2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000728913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007289146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000728916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000728919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000728919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\BASS\Desktop\jhhqsltw.exe[6548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072891a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004956964] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77130000] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77130000] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77130000] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [77130010] IAT C:\Windows\system32\AUDIODG.EXE[7080] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77130000] ---- EOF - GMER 2.2 ----