GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-25 21:02:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000070 ADATA___ rev.5.8. 238,47GB Running: 6h7n915l.exe; Driver: C:\Users\Pawel\AppData\Local\Temp\awddrkog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3556] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764a1bb2 5 bytes JMP 00000000011efa56 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\HP\HP Deskjet 3540 series\Bin\ScanToPCActivationApp.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[1820] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075661465 2 bytes [66, 75] .text D:\Programy\Gaming Keyboard\Monitor.EXE[4400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756614bb 2 bytes [66, 75] .text ... * 2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4488] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4556] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxEM.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[5784] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[5872] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6372] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6328] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776c5b30 5 bytes JMP 00000000000205f0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f14a0 5 bytes JMP 0000000000020678 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f1590 5 bytes JMP 00000000000200a0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f16b0 5 bytes JMP 0000000000020018 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f1710 5 bytes JMP 00000000000203d0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f1790 5 bytes JMP 00000000000201b0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f1830 5 bytes JMP 0000000000020128 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f1ce0 5 bytes JMP 0000000000020238 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f1d70 5 bytes JMP 00000000000202c0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f1de0 5 bytes JMP 0000000000020348 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f22a0 5 bytes JMP 0000000000020458 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f22f0 5 bytes JMP 00000000000204e0 .text D:\Programy\TeamSpeak 3 Client\ts3client_win64.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777475b0 5 bytes JMP 0000000000020568 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fac8 5 bytes JMP 000000006e4e30e0 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fc40 5 bytes JMP 000000006e4e2360 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fe04 5 bytes JMP 000000006e4e21f0 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe98 5 bytes JMP 000000006e4e27a0 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff64 5 bytes JMP 000000006e4e2650 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0058 5 bytes JMP 000000006e4e2520 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a078c 5 bytes JMP 000000006e4e28e0 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0864 5 bytes JMP 000000006e4e2b70 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a090c 5 bytes JMP 000000006e4e2e00 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1068 5 bytes JMP 000000006e4e2a30 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a10e0 5 bytes JMP 000000006e4e2cc0 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b96ef 5 bytes JMP 000000006e4e2f80 .text C:\Users\Pawel\Downloads\6h7n915l.exe[1348] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793fded 5 bytes JMP 000000006e4e2e90 ---- EOF - GMER 2.2 ----