GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-24 13:36:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST1000DM003-9YN162 rev.CC4H 931,51GB Running: n8e8lq1t.exe; Driver: C:\Users\Cairalan\AppData\Local\Temp\fflcrpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000766e1401 2 bytes JMP 754cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000766e1419 2 bytes JMP 754cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000766e1431 2 bytes JMP 75549149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000766e144a 2 bytes CALL 754a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766e14dd 2 bytes JMP 75548a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766e14f5 2 bytes JMP 75548c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000766e150d 2 bytes JMP 75548938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000766e1525 2 bytes JMP 75548d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000766e153d 2 bytes JMP 754bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000766e1555 2 bytes JMP 754c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000766e156d 2 bytes JMP 75549201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000766e1585 2 bytes JMP 75548d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000766e159d 2 bytes JMP 755488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766e15b5 2 bytes JMP 754bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766e15cd 2 bytes JMP 754cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766e16b2 2 bytes JMP 755490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766e16bd 2 bytes JMP 75548891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3508] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076462bdc 5 bytes JMP 0000000000888c60 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\iTunes\iTunesHelper.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3624] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3820] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4036] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 0000000074ea13b0 2 bytes JMP 756e55f8 C:\Windows\syswow64\shell32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 0000000074ea13c0 2 bytes CALL 77139cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 0000000074ea153e 2 bytes CALL 75777774 C:\Windows\syswow64\shell32.dll .text C:\Program Files (x86)\Creative\Sound Blaster Z-Series\Sound Blaster Z-Series Control Panel\SBZ.exe[3664] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000074ea1553 2 bytes CALL 754a10ff C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000766e1401 2 bytes JMP 754cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000766e1419 2 bytes JMP 754cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000766e1431 2 bytes JMP 75549149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000766e144a 2 bytes CALL 754a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766e14dd 2 bytes JMP 75548a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766e14f5 2 bytes JMP 75548c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000766e150d 2 bytes JMP 75548938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000766e1525 2 bytes JMP 75548d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000766e153d 2 bytes JMP 754bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000766e1555 2 bytes JMP 754c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000766e156d 2 bytes JMP 75549201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000766e1585 2 bytes JMP 75548d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000766e159d 2 bytes JMP 755488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766e15b5 2 bytes JMP 754bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766e15cd 2 bytes JMP 754cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766e16b2 2 bytes JMP 755490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766e16bd 2 bytes JMP 75548891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3212] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[4452] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[4684] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\iPod\bin\iPodService.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wuauclt.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Users\Cairalan\Downloads\FRST64.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000779240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007794bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007794bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007794bed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007794bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007794bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007794c050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007794c500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007794c590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007794c600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007794cac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007794cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000779a2530 5 bytes JMP 0000000000020568 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077affae8 5 bytes JMP 000000006dd130e0 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077affc60 5 bytes JMP 000000006dd12360 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077affe24 5 bytes JMP 000000006dd121f0 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077affeb8 5 bytes JMP 000000006dd127a0 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077afff84 5 bytes JMP 000000006dd12650 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b00078 5 bytes JMP 000000006dd12520 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b007ac 5 bytes JMP 000000006dd128e0 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b00884 5 bytes JMP 000000006dd12b70 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b0092c 5 bytes JMP 000000006dd12e00 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b01088 5 bytes JMP 000000006dd12a30 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b01100 5 bytes JMP 000000006dd12cc0 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077b1911f 5 bytes JMP 000000006dd12f80 .text C:\Users\Cairalan\Downloads\n8e8lq1t.exe[240] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077b9ff31 5 bytes JMP 000000006dd12e90 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800108ce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800108cc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108d614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800108da10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800108d86c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [fce8840fed844566] [unknown section] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [fffffcca820fd03b] [unknown section] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [fffffc92830fca3b] [unknown section] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [fc80840f00107983] [unknown section] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [fffc59830fc83b08] [unknown section] IAT C:\Windows\System32\Drivers\a8u06rp6.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80066ad2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80066ad2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80066ad2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80066ad2c0 Device \Driver\a8u06rp6 \Device\Scsi\a8u06rp61 fffffa8007dcf2c0 Device \Driver\VClone \Device\Scsi\VClone1 fffffa8007e402c0 Device \Driver\VClone \Device\Scsi\VClone1Port2Path0Target0Lun0 fffffa8007e402c0 Device \Driver\a8u06rp6 \Device\Scsi\a8u06rp61Port3Path0Target0Lun0 fffffa8007dcf2c0 Device \FileSystem\Ntfs \Ntfs fffffa80066b52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007bfc2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800716e2c0 Device \Driver\cdrom \Device\CdRom1 fffffa800716e2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007bfc2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3FE9316F-7DE8-46F6-B1BE-FFFAE63D3B2B} fffffa8007a482c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007bfc2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007a482c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80066ad2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007bfc2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80066ad2c0 Device \Driver\VClone \Device\ScsiPort2 fffffa8007e402c0 Device \Driver\a8u06rp6 \Device\ScsiPort3 fffffa8007dcf2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80066ad2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80066ad2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007746060] fffffa8007746060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8007519060] fffffa8007519060 Trace \Driver\atapi[0xfffffa80072a7d50] -> IRP_MJ_CREATE -> 0xfffffa80066ad2c0 fffffa80066ad2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\a8u06rp6.SYS (MS AHCI 1.0 Standard Driver/Microsoft Corporation SIGNED)(2010-11-21 03:23:47) fffff88004000000-fffff8800404b000 (307200 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x97 0x83 0x17 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x54 0x54 0x6C 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x27 0x41 0x32 0x49 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x97 0x83 0x17 0x51 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x54 0x54 0x6C 0x26 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x27 0x41 0x32 0x49 ... ---- Files - GMER 2.2 ---- File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\doomed\1815 747 bytes File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\entries\F52A7A3F478D5533E15FB7D20BC7A6680A9BC43B 0 bytes File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\entries\ACC926C566F0CCAFFD6567200C9F2296F2BE0D09 1308 bytes File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\entries\28EAD5EE9BFBB1645809ADE5866987BB42681D4B 4539 bytes File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\entries\746DEE8A5A05BC03E158D31B5E17884AA22346EF 1308 bytes File C:\Users\Cairalan\AppData\Local\Mozilla\Firefox\Profiles\vei2twdj.default-1476815869328\cache2\entries\A50A27654E8A848C68B7BD765E436EE9C5F31AA4 590 bytes ---- EOF - GMER 2.2 ----