GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-25 17:43:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005f ST950032 rev.0011 465,76GB Running: zqx1n4s8.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\uwddikod.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076161401 2 bytes JMP 74ddb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076161419 2 bytes JMP 74ddb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076161431 2 bytes JMP 74e590f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007616144a 2 bytes CALL 74db48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761614dd 2 bytes JMP 74e589ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761614f5 2 bytes JMP 74e58bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007616150d 2 bytes JMP 74e588e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076161525 2 bytes JMP 74e58caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007616153d 2 bytes JMP 74dcfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076161555 2 bytes JMP 74dd6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007616156d 2 bytes JMP 74e591a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076161585 2 bytes JMP 74e58d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007616159d 2 bytes JMP 74e588a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761615b5 2 bytes JMP 74dcfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761615cd 2 bytes JMP 74ddb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761616b2 2 bytes JMP 74e5906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3004] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761616bd 2 bytes JMP 74e58839 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Nitro\Pro 10\NitroPDFDriverService10x64.exe[3340] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\svchost.exe[3460] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[3480] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[3544] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe[3620] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3712] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.4\ToolbarUpdater.exe[3760] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[3824] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\alg.exe[4360] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[4836] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[4912] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\svchost.exe[5008] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3964] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\wbem\wmiprvse.exe[1500] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3928] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[892] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1716] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\SearchIndexer.exe[4144] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskhost.exe[4692] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\Dwm.exe[5860] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\Explorer.EXE[4820] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076161401 2 bytes JMP 74ddb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076161419 2 bytes JMP 74ddb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076161431 2 bytes JMP 74e590f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007616144a 2 bytes CALL 74db48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761614dd 2 bytes JMP 74e589ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761614f5 2 bytes JMP 74e58bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007616150d 2 bytes JMP 74e588e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076161525 2 bytes JMP 74e58caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007616153d 2 bytes JMP 74dcfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076161555 2 bytes JMP 74dd6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007616156d 2 bytes JMP 74e591a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076161585 2 bytes JMP 74e58d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007616159d 2 bytes JMP 74e588a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761615b5 2 bytes JMP 74dcfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761615cd 2 bytes JMP 74ddb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761616b2 2 bytes JMP 74e5906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6120] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761616bd 2 bytes JMP 74e58839 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5384] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5528] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5588] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Microsoft Security Client\msseces.exe[5756] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxtray.exe[2780] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\hkcmd.exe[5940] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxpers.exe[4884] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2900] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5196] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[4204] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3612] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[5488] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076161401 2 bytes JMP 74ddb263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076161419 2 bytes JMP 74ddb38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076161431 2 bytes JMP 74e590f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007616144a 2 bytes CALL 74db48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761614dd 2 bytes JMP 74e589ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761614f5 2 bytes JMP 74e58bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007616150d 2 bytes JMP 74e588e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076161525 2 bytes JMP 74e58caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007616153d 2 bytes JMP 74dcfce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076161555 2 bytes JMP 74dd6937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007616156d 2 bytes JMP 74e591a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076161585 2 bytes JMP 74e58d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007616159d 2 bytes JMP 74e588a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761615b5 2 bytes JMP 74dcfd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761615cd 2 bytes JMP 74ddb324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761616b2 2 bytes JMP 74e5906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[5220] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761616bd 2 bytes JMP 74e58839 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskeng.exe[4732] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5564] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskeng.exe[5652] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5204] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5408] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtClose 0000000077260338 5 bytes JMP 0000000066281370 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 0000000077260350 3 bytes JMP 000000006626cf00 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryObject + 4 0000000077260354 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationFile 0000000077260368 5 bytes JMP 0000000066281430 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077260380 3 bytes JMP 000000006626cbe0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKey + 4 0000000077260384 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077260398 3 bytes JMP 000000006626d000 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey + 4 000000007726039c 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 00000000772603e8 3 bytes JMP 000000006626ceb0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryKey + 4 00000000772603ec 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077260400 3 bytes JMP 000000006626cfa0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey + 4 0000000077260404 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077260498 3 bytes JMP 000000006626cd90 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateKey + 4 000000007726049c 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077260590 5 bytes JMP 0000000066281350 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000772606a4 3 bytes JMP 000000006626ce50 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey + 4 00000000772606a8 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 00000000772606bc 5 bytes JMP 00000000662811e0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000772606f0 5 bytes JMP 00000000662812e0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007726079c 3 bytes JMP 000000006626d320 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject + 4 00000000772607a0 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000772607b4 5 bytes JMP 0000000066281260 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077260a0c 5 bytes JMP 0000000066281170 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077260b1c 3 bytes JMP 000000006626d060 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 0000000077260b20 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000772610ac 3 bytes JMP 000000006626cdf0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted + 4 00000000772610b0 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 000000007726133c 5 bytes JMP 0000000066281220 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077261354 3 bytes JMP 000000006626cd10 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey + 4 0000000077261358 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 000000007726139c 3 bytes JMP 000000006626d0c0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000772613a0 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 00000000772614d8 3 bytes JMP 000000006626cd50 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtFlushKey + 4 00000000772614dc 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000772618c8 3 bytes JMP 000000006626d1a0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey + 4 00000000772618cc 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772618e0 3 bytes JMP 000000006626d210 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys + 4 00000000772618e4 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077261970 3 bytes JMP 000000006626cc20 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 4 0000000077261974 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077261988 3 bytes JMP 000000006626ccc0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted + 4 000000007726198c 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 00000000772619a0 3 bytes JMP 000000006626cc70 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx + 4 00000000772619a4 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077261c94 5 bytes JMP 00000000662812a0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077261dd4 3 bytes JMP 000000006626d140 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey + 4 0000000077261dd8 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077261e80 3 bytes JMP 000000006626d290 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject + 4 0000000077261e84 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077262070 3 bytes JMP 000000006626d100 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtRenameKey + 4 0000000077262074 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000772623b0 3 bytes JMP 000000006626cf50 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey + 4 00000000772623b4 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000772624f4 3 bytes JMP 000000006626d2e0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject + 4 00000000772624f8 1 byte [EF] .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074db103d 5 bytes JMP 000000006624c830 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074db1072 5 bytes JMP 000000006624c880 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!CreateActCtxW 0000000074db920f 5 bytes JMP 00000000662813f0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!CreateActCtxA 0000000074dd9468 5 bytes JMP 00000000662813b0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074ddc9f5 5 bytes JMP 000000006624c8d0 .text C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe[4988] C:\windows\syswow64\kernel32.dll!WinExec 0000000074e331f9 5 bytes JMP 000000006624c970 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6092] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\wuauclt.exe[6304] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076161401 2 bytes JMP 74ddb263 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076161419 2 bytes JMP 74ddb38e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076161431 2 bytes JMP 74e590f1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007616144a 2 bytes CALL 74db48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761614dd 2 bytes JMP 74e589ea C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761614f5 2 bytes JMP 74e58bc0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007616150d 2 bytes JMP 74e588e0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076161525 2 bytes JMP 74e58caa C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007616153d 2 bytes JMP 74dcfce8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076161555 2 bytes JMP 74dd6937 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007616156d 2 bytes JMP 74e591a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076161585 2 bytes JMP 74e58d0a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007616159d 2 bytes JMP 74e588a4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761615b5 2 bytes JMP 74dcfd81 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761615cd 2 bytes JMP 74ddb324 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761616b2 2 bytes JMP 74e5906c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[7144] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761616bd 2 bytes JMP 74e58839 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6620] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6952] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\System32\svchost.exe[6480] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\ctfmon.exe[6220] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770940c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000770bbcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770bbdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770bbed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770bbf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770bbfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770bc050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770bc500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770bc590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770bc600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770bcac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770bcb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskeng.exe[7732] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077112530 5 bytes JMP 0000000000020568 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077260430 5 bytes JMP 000000006feb30e0 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772605a8 5 bytes JMP 000000006feb2360 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007726076c 5 bytes JMP 000000006feb21f0 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077260800 5 bytes JMP 000000006feb27a0 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772608cc 5 bytes JMP 000000006feb2650 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772609c0 5 bytes JMP 000000006feb2520 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772610f4 5 bytes JMP 000000006feb28e0 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772611cc 5 bytes JMP 000000006feb2b70 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077261274 5 bytes JMP 000000006feb2e00 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772619d0 5 bytes JMP 000000006feb2a30 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077261a48 5 bytes JMP 000000006feb2cc0 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077279a5f 5 bytes JMP 000000006feb2f80 .text C:\Users\Marcin\Downloads\zqx1n4s8.exe[6236] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000773008b9 5 bytes JMP 000000006feb2e90 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!__mb_cur_max] [3049304930493049] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!isleadbyte] [3049304930493049] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!isxdigit] [3049304930493049] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!localeconv] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!wctomb] [3049304930493049] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!mbtowc] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!iswctype] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!wcstombs] [304930490000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!__badioinfo] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!__pioinfo] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_read] [3049000000000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!ungetc] [304930490000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!isdigit] [304a304a30493049] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!calloc] [304a304a304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!memcpy] [304a304a304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!?terminate@@YAXXZ] [304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_onexit] [304a304a00000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_lock] [304a304a304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!__dllonexit] [304a304a304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_unlock] [304a0000304a304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_amsg_exit] [304a0000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_initterm] [304a000000000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_XcptFilter] [304a304a0000304a] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_resetstkoflw] [304b0000304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z] [304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_errno] [304b304b00000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!__CxxFrameHandler] [304b304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_iob] [304b304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!strncmp] [304b304b304b0000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_fileno] [304b304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_isatty] [304b304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!realloc] [304b304b304b304b] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!wcschr] [304c304b00000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_vsnwprintf] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!memmove] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!free] [304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!malloc] [304c000000000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_CxxThrowException] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_purecall] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!_wfopen] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!fread] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!ftell] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!fseek] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!fclose] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!memset] [304c304c304c304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!logf] [304d304d304d304c] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!expf] [304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[msvcrt.dll!log] [304d304d304d0000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!FlushFileBuffers] [304d304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!WriteFile] [304d304d304d304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!SetFilePointer] [304d304d304d304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [304d304d304d304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!UnhandledExceptionFilter] [304d304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetCurrentProcess] [304e304d] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!TerminateProcess] [304e0000304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetCurrentProcessId] [304e304e00000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetTickCount] [304e304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!QueryPerformanceCounter] [304e304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!RtlCaptureContext] [304e304e304e0000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!RtlLookupFunctionEntry] [304e304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!RtlVirtualUnwind] [304e304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!OutputDebugStringA] [304e304e304e304e] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetModuleFileNameW] [304f304e00000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetCurrentThreadId] [304f304f0000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetLocalTime] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!FormatMessageW] [0] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!Sleep] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!VirtualProtect] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!DelayLoadFailureHook] [304f304f0000304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!LoadLibraryExA] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!FindResourceW] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!LoadResource] [304f304f304f304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!LockResource] [304f00000000304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!SizeofResource] [305030503050304f] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!CreateFileW] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!CreateFileMappingW] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!MapViewOfFile] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetFileSize] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!UnmapViewOfFile] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!CloseHandle] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetProcAddress] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!LoadLibraryW] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!FreeLibrary] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!DisableThreadLibraryCalls] [3050305030503050] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!SetLastError] [3051000000000000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [305130510000] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!GetLastError] [3051000030513051] IAT C:\windows\system32\SearchIndexer.exe[4144] @ C:\windows\System32\NLSData0009.dll[KERNEL32.dll!LocalFree] [3051305100003051] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@a04e04ec35d7 0x3F 0x9E 0x28 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@e4b02127e67b 0x1D 0xB8 0x04 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@2054769ebb62 0x12 0xE1 0x44 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@3039263f8ce9 0x35 0x02 0x0B 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@30a8db597890 0x3F 0x6D 0x27 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@a04e04ec35d7 0x3F 0x9E 0x28 0x97 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@e4b02127e67b 0x1D 0xB8 0x04 0xA8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@2054769ebb62 0x12 0xE1 0x44 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@3039263f8ce9 0x35 0x02 0x0B 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@30a8db597890 0x3F 0x6D 0x27 0x00 ... ---- EOF - GMER 2.2 ----