GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-24 17:10:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 ST500DM0 rev.KC45 465,76GB Running: gmer.exe; Driver: C:\Users\Norbix\AppData\Local\Temp\pxdiqpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000165a00 7 bytes [00, 54, F3, FF, C1, 5F, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000165a08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007740fae8 5 bytes JMP 00000000749730e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007740fc60 5 bytes JMP 0000000074972360 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007740fe24 5 bytes JMP 00000000749721f0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007740feb8 5 bytes JMP 00000000749727a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007740ff84 5 bytes JMP 0000000074972650 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077410078 5 bytes JMP 0000000074972520 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774107ac 5 bytes JMP 00000000749728e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077410884 5 bytes JMP 0000000074972b70 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007741092c 5 bytes JMP 0000000074972e00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077411088 5 bytes JMP 0000000074972a30 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077411100 5 bytes JMP 0000000074972cc0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007742911f 5 bytes JMP 0000000074972f80 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000774aff31 5 bytes JMP 0000000074972e90 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075801401 2 bytes JMP 74ecb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075801419 2 bytes JMP 74ecb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075801431 2 bytes JMP 74f490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007580144a 2 bytes CALL 74ea48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000758014dd 2 bytes JMP 74f489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000758014f5 2 bytes JMP 74f48bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007580150d 2 bytes JMP 74f488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075801525 2 bytes JMP 74f48caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007580153d 2 bytes JMP 74ebfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075801555 2 bytes JMP 74ec6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007580156d 2 bytes JMP 74f491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075801585 2 bytes JMP 74f48d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007580159d 2 bytes JMP 74f488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000758015b5 2 bytes JMP 74ebfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000758015cd 2 bytes JMP 74ecb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000758016b2 2 bytes JMP 74f4906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2592] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000758016bd 2 bytes JMP 74f48839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007740fae8 5 bytes JMP 00000000749730e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007740fc60 5 bytes JMP 0000000074972360 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007740fe24 5 bytes JMP 00000000749721f0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007740feb8 5 bytes JMP 00000000749727a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007740ff84 5 bytes JMP 0000000074972650 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077410078 5 bytes JMP 0000000074972520 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774107ac 5 bytes JMP 00000000749728e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077410884 5 bytes JMP 0000000074972b70 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007741092c 5 bytes JMP 0000000074972e00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077411088 5 bytes JMP 0000000074972a30 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077411100 5 bytes JMP 0000000074972cc0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007742911f 5 bytes JMP 0000000074972f80 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3184] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000774aff31 5 bytes JMP 0000000074972e90 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007740fae8 5 bytes JMP 00000000749730e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007740fc60 5 bytes JMP 0000000074972360 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007740fe24 5 bytes JMP 00000000749721f0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007740feb8 5 bytes JMP 00000000749727a0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007740ff84 5 bytes JMP 0000000074972650 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077410078 5 bytes JMP 0000000074972520 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774107ac 5 bytes JMP 00000000749728e0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077410884 5 bytes JMP 0000000074972b70 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007741092c 5 bytes JMP 0000000074972e00 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077411088 5 bytes JMP 0000000074972a30 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077411100 5 bytes JMP 0000000074972cc0 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007742911f 5 bytes JMP 0000000074972f80 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000774aff31 5 bytes JMP 0000000074972e90 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4076] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4288] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007740fae8 5 bytes JMP 00000000749730e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007740fc60 5 bytes JMP 0000000074972360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007740fe24 5 bytes JMP 00000000749721f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007740feb8 5 bytes JMP 00000000749727a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007740ff84 5 bytes JMP 0000000074972650 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077410078 5 bytes JMP 0000000074972520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774107ac 5 bytes JMP 00000000749728e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077410884 5 bytes JMP 0000000074972b70 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007741092c 5 bytes JMP 0000000074972e00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077411088 5 bytes JMP 0000000074972a30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077411100 5 bytes JMP 0000000074972cc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007742911f 5 bytes JMP 0000000074972f80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1952] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000774aff31 5 bytes JMP 0000000074972e90 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\sppsvc.exe[924] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4328] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\servicing\TrustedInstaller.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000772340c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007725bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007725bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007725bed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007725bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007725bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007725c050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007725c500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007725c590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007725c600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007725cac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007725cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000772b2530 5 bytes JMP 0000000000020568 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007740fae8 5 bytes JMP 00000000749730e0 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007740fc60 5 bytes JMP 0000000074972360 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007740fe24 5 bytes JMP 00000000749721f0 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007740feb8 5 bytes JMP 00000000749727a0 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007740ff84 5 bytes JMP 0000000074972650 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077410078 5 bytes JMP 0000000074972520 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000774107ac 5 bytes JMP 00000000749728e0 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077410884 5 bytes JMP 0000000074972b70 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007741092c 5 bytes JMP 0000000074972e00 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077411088 5 bytes JMP 0000000074972a30 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077411100 5 bytes JMP 0000000074972cc0 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007742911f 5 bytes JMP 0000000074972f80 .text C:\Users\Norbix\Downloads\gmer.exe[4192] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000774aff31 5 bytes JMP 0000000074972e90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA8 0x9F 0xE6 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA8 0x9F 0xE6 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- Files - GMER 2.2 ---- File C:\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-920aba27-6bfb-4778-97fe-4205cfd4d25a.tmp 0 bytes ---- EOF - GMER 2.2 ----