GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-23 20:59:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Crucial_CT128MX100SSD1 rev.MU01 119,24GB Running: wl81oxzm.exe; Driver: C:\Users\xxx\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800031af000 45 bytes [00, 00, EA, 00, 4E, 70, 46, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff800031af02f 23 bytes [00, 31, C0, B6, FA, F2, 74, ...] ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Users\xxx\AppData\Local\Microsoft\BingSvc\BingSvc.exe[432] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Program Files\CCleaner\CCleaner64.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2244] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2280] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[1464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[1416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text E:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3592] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe[3672] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Windows\system32\ctfmon.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[2540] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Program Files\Sony\Xperia Companion\Service\XperiaCompanionService.exe[5332] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Windows\system32\SearchIndexer.exe[5724] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Windows\system32\svchost.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Windows\System32\svchost.exe[6628] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[7380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077465b60 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077491440 3 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 4 0000000077491444 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077491530 3 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 4 0000000077491534 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 3 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 0000000077491654 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774916b0 3 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774916b4 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077491730 3 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 0000000077491734 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000774917d0 3 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread + 4 00000000774917d4 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077491c80 3 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 0000000077491c84 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077491d10 3 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 0000000077491d14 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077491d80 3 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 0000000077491d84 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077492240 3 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 0000000077492244 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077492290 3 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 0000000077492294 1 byte [88] .text C:\Windows\system32\taskhost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000774e7700 5 bytes JMP 0000000000020568 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007763fad8 5 bytes JMP 000000006ecf2d80 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007763fc50 5 bytes JMP 000000006ecf2910 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007763fe14 5 bytes JMP 000000006ecf27a0 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007763fea8 5 bytes JMP 000000006ecf2ed0 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007763ff74 5 bytes JMP 000000006ecf2e90 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077640068 5 bytes JMP 000000006ecf2ad0 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007764079c 5 bytes JMP 000000006ecf2f10 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077640874 5 bytes JMP 000000006ecf2f90 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007764091c 5 bytes JMP 000000006ecf2c00 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077641078 5 bytes JMP 000000006ecf2f50 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000776410f0 5 bytes JMP 000000006ecf2fd0 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007765975f 5 bytes JMP 000000006ecf3620 .text C:\Users\xxx\Desktop\Nowy folder (2)\wl81oxzm.exe[588] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000776dfeed 5 bytes JMP 000000006ecf2c90 ---- EOF - GMER 2.2 ----