GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-08 12:31:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: 6z20q67c.exe; Driver: C:\Users\media\AppData\Local\Temp\ugddykod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007711fa88 5 bytes JMP 00000001730d176e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe[1700] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077120018 5 bytes JMP 00000001730d1d67 .text C:\Windows\SysWOW64\rpcnet.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074b51a22 2 bytes [B5, 74] .text C:\Windows\SysWOW64\rpcnet.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074b51ad0 2 bytes [B5, 74] .text C:\Windows\SysWOW64\rpcnet.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074b51b08 2 bytes [B5, 74] .text C:\Windows\SysWOW64\rpcnet.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074b51bba 2 bytes [B5, 74] .text C:\Windows\SysWOW64\rpcnet.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074b51bda 2 bytes [B5, 74] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3288] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007711000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3288] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007719f85a 5 bytes JMP 000000017714d571 .text C:\Program Files (x86)\uTorrent\uTorrent.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075581465 2 bytes [58, 75] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755814bb 2 bytes [58, 75] .text ... * 2 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076f211f5 8 bytes {JMP 0xd} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076f21390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f2143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076f2158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f2191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076f21b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076f21bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f21d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076f21eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f21edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076f21f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076f21fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076f21fd7 8 bytes {JMP 0xb} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076f22272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076f22301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076f22792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f227b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076f227d2 8 bytes {JMP 0x10} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076f2282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076f22890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076f22d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076f22d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076f23023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076f2323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076f233c0 16 bytes {JMP 0x4e} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076f23a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076f23ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076f23b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076f23d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076f24190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f713e0 2 bytes [FF, 25] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 3 0000000076f713e3 5 bytes [2A, FB, FF, 90, 90] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f71560 8 bytes {JMP QWORD [RIP-0x4d4f8]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71590 8 bytes {JMP QWORD [RIP-0x4da11]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 8 bytes {JMP QWORD [RIP-0x4d807]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f71760 8 bytes {JMP QWORD [RIP-0x4da43]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 8 bytes {JMP QWORD [RIP-0x4dc06]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f71fe0 8 bytes {JMP QWORD [RIP-0x4deb5]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 8 bytes {JMP QWORD [RIP-0x4e7d0]} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b9146b 8 bytes {JMP 0xffffffffffffffb0} .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074b916e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074b91a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074b91a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b91a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[740] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074b91a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076f211f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076f21390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f2143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076f2158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f2191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076f21b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076f21bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f21d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076f21eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f21edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076f21f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076f21fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076f21fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076f22272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076f22301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076f22792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f227b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076f227d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076f2282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076f22890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076f22d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076f22d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076f23023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076f2323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076f233c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076f23a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076f23ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076f23b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076f23d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076f24190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f713e0 2 bytes [FF, 25] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 3 0000000076f713e3 5 bytes [2A, FB, FF, 90, 90] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f71560 8 bytes {JMP QWORD [RIP-0x4d4f8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71590 8 bytes {JMP QWORD [RIP-0x4da11]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 8 bytes {JMP QWORD [RIP-0x4d807]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f71760 8 bytes {JMP QWORD [RIP-0x4da43]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 8 bytes {JMP QWORD [RIP-0x4dc06]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f71fe0 8 bytes {JMP QWORD [RIP-0x4deb5]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 8 bytes {JMP QWORD [RIP-0x4e7d0]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b9146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074b916e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074b91a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074b91a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b91a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074b91a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075581465 2 bytes [58, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755814bb 2 bytes [58, 75] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076f211f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076f21390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f2143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076f2158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f2191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076f21b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076f21bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f21d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076f21eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f21edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076f21f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076f21fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076f21fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076f22272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076f22301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076f22792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f227b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076f227d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076f2282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076f22890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076f22d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076f22d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076f23023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076f2323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076f233c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076f23a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076f23ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076f23b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076f23d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076f24190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f713e0 2 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 3 0000000076f713e3 5 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f71560 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71590 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 8 bytes JMP 3f30953f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f71760 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f71fe0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b9146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074b916e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074b91a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074b91a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b91a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4848] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074b91a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076f211f5 8 bytes {JMP 0xd} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076f21390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f2143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076f2158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f2191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076f21b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076f21bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f21d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076f21eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f21edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076f21f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076f21fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076f21fd7 8 bytes {JMP 0xb} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076f22272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076f22301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076f22792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f227b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076f227d2 8 bytes {JMP 0x10} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076f2282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076f22890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076f22d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076f22d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076f23023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076f2323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076f233c0 16 bytes {JMP 0x4e} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076f23a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076f23ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076f23b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076f23d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076f24190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f713e0 2 bytes [FF, 25] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 3 0000000076f713e3 5 bytes [2A, FB, FF, 90, 90] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f71560 8 bytes {JMP QWORD [RIP-0x4d4f8]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71590 8 bytes {JMP QWORD [RIP-0x4da11]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 8 bytes {JMP QWORD [RIP-0x4d807]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f71760 8 bytes {JMP QWORD [RIP-0x4da43]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 8 bytes {JMP QWORD [RIP-0x4dc06]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f71fe0 8 bytes {JMP QWORD [RIP-0x4deb5]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 8 bytes {JMP QWORD [RIP-0x4e7d0]} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b9146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074b916e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074b91a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074b91a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b91a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074b91a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075581465 2 bytes [58, 75] .text C:\Users\media\Downloads\OTL.exe[1208] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000755814bb 2 bytes [58, 75] .text ... * 2 .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076f211f5 8 bytes {JMP 0xd} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076f21390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076f2143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076f2158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076f2191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076f21b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076f21bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076f21d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076f21eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076f21edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076f21f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076f21fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076f21fd7 8 bytes {JMP 0xb} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076f22272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076f22301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076f22792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076f227b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076f227d2 8 bytes {JMP 0x10} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076f2282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076f22890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076f22d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076f22d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076f23023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076f2323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076f233c0 16 bytes {JMP 0x4e} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076f23a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076f23ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076f23b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076f23d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076f24190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f713e0 2 bytes [FF, 25] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 3 0000000076f713e3 5 bytes [2A, FB, FF, 90, 90] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f71560 8 bytes {JMP QWORD [RIP-0x4d4f8]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71590 8 bytes {JMP QWORD [RIP-0x4da11]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 8 bytes {JMP QWORD [RIP-0x4d807]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f71760 8 bytes {JMP QWORD [RIP-0x4da43]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 8 bytes {JMP QWORD [RIP-0x4dc06]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f71fe0 8 bytes {JMP QWORD [RIP-0x4deb5]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 8 bytes {JMP QWORD [RIP-0x4e7d0]} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b913cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b9146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b916d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074b916e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b919db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b919fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074b91a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074b91a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b91a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\media\Downloads\6z20q67c.exe[3648] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074b91a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800493beb8] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- EOF - GMER 2.1 ----