GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-31 17:55:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: bwrtkjlr.exe; Driver: C:\Users\marek_2\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2524] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\svchost.exe[2576] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2760] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3012] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3108] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3156] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3292] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3300] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\conhost.exe[3316] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\rundll32.exe[3696] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[3584] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\servicing\TrustedInstaller.exe[2208] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4192] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskeng.exe[4200] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\GWX\GWXUX.exe[4352] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4464] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 755eb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 755eb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 756690f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 755c48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 756689ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 75668bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 756688e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 75668caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 755dfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 755e6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 756691a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 75668d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 756688a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 755dfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 755eb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 7566906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4560] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 75668839 C:\windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1988] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1600] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4412] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 755eb263 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 755eb38e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 756690f1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 755c48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 756689ea C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 75668bc0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 756688e0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 75668caa C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 755dfce8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 755e6937 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 756691a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 75668d0a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 756688a4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 755dfd81 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 755eb324 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 7566906c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4556] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 75668839 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\SearchIndexer.exe[4896] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[3940] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\ctfmon.exe[3824] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4704] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1136] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[2016] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[4044] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5496] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[5560] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6116] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 755eb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 755eb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 756690f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 755c48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 756689ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 75668bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 756688e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 75668caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 755dfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 755e6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 756691a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 75668d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 756688a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 755dfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 755eb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 7566906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1052] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 75668839 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\sppsvc.exe[2908] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\msiexec.exe[4600] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000774040c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007742bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007742bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007742bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007742bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007742bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007742c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007742c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007742c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007742c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007742cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007742cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe[6132] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077482530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769c1401 2 bytes JMP 755eb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769c1419 2 bytes JMP 755eb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769c1431 2 bytes JMP 756690f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769c144a 2 bytes CALL 755c48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769c14dd 2 bytes JMP 756689ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769c14f5 2 bytes JMP 75668bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769c150d 2 bytes JMP 756688e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769c1525 2 bytes JMP 75668caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769c153d 2 bytes JMP 755dfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769c1555 2 bytes JMP 755e6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769c156d 2 bytes JMP 756691a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769c1585 2 bytes JMP 75668d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769c159d 2 bytes JMP 756688a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769c15b5 2 bytes JMP 755dfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769c15cd 2 bytes JMP 755eb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769c16b2 2 bytes JMP 7566906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5552] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769c16bd 2 bytes JMP 75668839 C:\windows\syswow64\kernel32.dll .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000775dfae8 5 bytes JMP 0000000071d72c30 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775dfc60 5 bytes JMP 0000000071d726d0 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775dfe24 5 bytes JMP 0000000071d72530 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000775dfeb8 5 bytes JMP 0000000071d72990 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775dff84 5 bytes JMP 0000000071d72970 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775e0078 5 bytes JMP 0000000071d72890 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775e07ac 5 bytes JMP 0000000071d729b0 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775e0884 5 bytes JMP 0000000071d729f0 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775e092c 5 bytes JMP 0000000071d72a30 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000775e1088 5 bytes JMP 0000000071d729d0 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000775e1100 5 bytes JMP 0000000071d72a10 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000775f911f 5 bytes JMP 0000000071d72bb0 .text C:\Users\marek_2\Downloads\bwrtkjlr.exe[4812] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007767ff31 5 bytes JMP 0000000071d72ac0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msiexec.exe[ADVAPI32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msiexec.exe[ADVAPI32.dll!RegDeleteValueW] [7fee7fbbbc8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msiexec.exe[ADVAPI32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msiexec.exe[ADVAPI32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msiexec.exe[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!CopyFileW] [7fee7fba184] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ADVAPI32.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USER32.dll[KERNEL32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USER32.dll[KERNEL32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USER32.dll[KERNEL32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USER32.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\GDI32.dll[KERNEL32.dll!CopyFileW] [7fee7fba184] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\GDI32.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\GDI32.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!SetFileSecurityW] [7fee7fbbcb0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExA] [7fee7fbba0c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegDeleteValueW] [7fee7fbbbc8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegDeleteKeyW] [7fee7fbd12c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\msi.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHELL32.dll[KERNEL32.dll!CopyFileW] [7fee7fba184] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesA] [7fee7fbab7c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileA] [7fee7fba2d8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!CopyFileW] [7fee7fba184] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINSPOOL.DRV[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\MPR.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\sfc_os.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USERENV.dll[KERNEL32.dll!PrivCopyFileExW] [7fee7fbab04] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\USERENV.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\IMM32.DLL[KERNEL32.dll!OpenFile] [7fee7fba890] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\IMM32.DLL[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.DLL[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegDeleteValueW] [7fee7fbbbc8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!_lwrite] [7fee7fbaa1c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileA] [7fee7fba2d8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!RegCreateKeyExA] [7fee7fbb3dc] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\rsaenh.dll[KERNEL32.dll!RegSetValueExA] [7fee7fbba0c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\srvcli.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\wkscli.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!_lcreat] [7fee7fba9a0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!_lopen] [7fee7fba924] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!_lwrite] [7fee7fbaa1c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!DeleteFileA] [7fee7fba580] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\VERSION.DLL[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!CopyFileW] [7fee7fba184] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileA] [7fee7fba2d8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!RegDeleteValueW] [7fee7fbbbc8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CFGMGR32.dll[ADVAPI32.dll!RegDeleteValueW] [7fee7fbbbc8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\DEVRTL.dll[KERNEL32.dll!MoveFileW] [7fee7fba6e0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\DEVRTL.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ntmarta.dll[ADVAPI32.dll!RegSetValueExW] [7fee7fbbaa8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ntmarta.dll[ADVAPI32.dll!RegCreateKeyExW] [7fee7fbb4f4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ntmarta.dll[ADVAPI32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ntmarta.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINTRUST.DLL[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINTRUST.DLL[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINTRUST.DLL[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!CreateFileA] [7fee7fba2d8] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ncrypt.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ncrypt.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\ncrypt.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\bcrypt.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\GPAPI.dll[KERNEL32.dll!MoveFileExW] [7fee7fba804] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\cryptnet.dll[KERNEL32.dll!SetFileAttributesW] [7fee7fbabe0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\cryptnet.dll[KERNEL32.dll!DeleteFileW] [7fee7fba5e4] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\cryptnet.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\cryptnet.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINHTTP.dll[KERNEL32.dll!CreateFileW] [7fee7fba42c] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\WINHTTP.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\webio.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\webio.dll[KERNEL32.dll!RegOpenKeyExW] [7fee7fbb6d0] C:\windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\windows\system32\msiexec.exe[4600] @ C:\windows\system32\credssp.dll[KERNEL32.dll!GetProcAddress] [7fefbd84230] C:\windows\system32\apphelp.dll ---- Threads - GMER 2.2 ---- Thread [4236:4588] 0000000077611697 Thread [4236:1984] 0000000077617ad8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1e1f6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6fc1a4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fee44c72 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971072320 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1e1f6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6fc1a4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fee44c72 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971072320 (not active ControlSet) ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----