GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-13 17:05:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.17.0 232,89GB Running: 4d9oz3j0.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kwrdapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[2396] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\Dwm.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fb1401 2 bytes JMP 75eab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fb1419 2 bytes JMP 75eab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fb1431 2 bytes JMP 75f29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fb144a 2 bytes CALL 75e84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fb14dd 2 bytes JMP 75f28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fb14f5 2 bytes JMP 75f28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fb150d 2 bytes JMP 75f28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fb1525 2 bytes JMP 75f28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fb153d 2 bytes JMP 75e9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fb1555 2 bytes JMP 75ea6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fb156d 2 bytes JMP 75f29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fb1585 2 bytes JMP 75f28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fb159d 2 bytes JMP 75f288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fb15b5 2 bytes JMP 75e9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fb15cd 2 bytes JMP 75eab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fb16b2 2 bytes JMP 75f290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fb16bd 2 bytes JMP 75f28891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\Adguard\Adguard.exe[3032] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fb1401 2 bytes JMP 75eab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fb1419 2 bytes JMP 75eab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fb1431 2 bytes JMP 75f29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fb144a 2 bytes CALL 75e84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fb14dd 2 bytes JMP 75f28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fb14f5 2 bytes JMP 75f28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fb150d 2 bytes JMP 75f28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fb1525 2 bytes JMP 75f28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fb153d 2 bytes JMP 75e9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fb1555 2 bytes JMP 75ea6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fb156d 2 bytes JMP 75f29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fb1585 2 bytes JMP 75f28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fb159d 2 bytes JMP 75f288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fb15b5 2 bytes JMP 75e9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fb15cd 2 bytes JMP 75eab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fb16b2 2 bytes JMP 75f290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fb16bd 2 bytes JMP 75f28891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fb1401 2 bytes JMP 75eab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fb1419 2 bytes JMP 75eab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fb1431 2 bytes JMP 75f29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fb144a 2 bytes CALL 75e84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fb14dd 2 bytes JMP 75f28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fb14f5 2 bytes JMP 75f28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fb150d 2 bytes JMP 75f28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fb1525 2 bytes JMP 75f28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fb153d 2 bytes JMP 75e9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fb1555 2 bytes JMP 75ea6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fb156d 2 bytes JMP 75f29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fb1585 2 bytes JMP 75f28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fb159d 2 bytes JMP 75f288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fb15b5 2 bytes JMP 75e9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fb15cd 2 bytes JMP 75eab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fb16b2 2 bytes JMP 75f290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fb16bd 2 bytes JMP 75f28891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3336] C:\Windows\system32\IMM32.DLL!ImmProcessKey 000007fefdd739c8 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3444] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\nvvsvc.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5244] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\nvvsvc.exe[6040] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4388] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4540] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000075e83491 4 bytes {CALL 0xffffffffe39caa58} .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076fb1401 2 bytes JMP 75eab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076fb1419 2 bytes JMP 75eab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076fb1431 2 bytes JMP 75f29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076fb144a 2 bytes CALL 75e84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076fb14dd 2 bytes JMP 75f28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076fb14f5 2 bytes JMP 75f28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076fb150d 2 bytes JMP 75f28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076fb1525 2 bytes JMP 75f28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076fb153d 2 bytes JMP 75e9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076fb1555 2 bytes JMP 75ea6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076fb156d 2 bytes JMP 75f29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076fb1585 2 bytes JMP 75f28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076fb159d 2 bytes JMP 75f288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076fb15b5 2 bytes JMP 75e9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076fb15cd 2 bytes JMP 75eab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076fb16b2 2 bytes JMP 75f290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4820] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076fb16bd 2 bytes JMP 75f28891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\Explorer.EXE[3512] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\IDA\ida.exe[3936] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Users\Leszek\Desktop\FRST64.exe[5288] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Program Files (x86)\AVG\Av\avgcfgex.exe[5688] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\vssvc.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076e240c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076e4bcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076e4bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076e4c600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076ea2530 5 bytes JMP 0000000000020568 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076fffae8 5 bytes JMP 000000006c8830e0 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076fffc60 5 bytes JMP 000000006c882360 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076fffe24 5 bytes JMP 000000006c8821f0 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076fffeb8 5 bytes JMP 000000006c8827a0 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076ffff84 5 bytes JMP 000000006c882650 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077000078 5 bytes JMP 000000006c882520 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770007ac 5 bytes JMP 000000006c8828e0 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077000884 5 bytes JMP 000000006c882b70 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007700092c 5 bytes JMP 000000006c882e00 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077001088 5 bytes JMP 000000006c882a30 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077001100 5 bytes JMP 000000006c882cc0 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007701911f 5 bytes JMP 000000006c882f80 .text C:\Users\Leszek\Desktop\4d9oz3j0.exe[5068] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007709ff31 5 bytes JMP 000000006c882e90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@jacoblpmmdkbpglkjfhb 0x64 0x62 0x68 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@haboalcepeplhded 0x61 0x62 0x62 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E815DC1B-5302-89C2-B38C-5010C4C9BACF} ---- Files - GMER 2.2 ---- File C:\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2d94e92d-970b-406c-a796-9f1e1ee0977e.tmp 0 bytes File C:\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-ae3c4a16-45ef-4b14-832d-df0e248a1702.tmp 0 bytes ---- EOF - GMER 2.2 ----