GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-07 21:25:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006c WDC_____ rev.01.0 931,51GB Running: rmq2tm48.exe; Driver: C:\Users\GOKUIS~1\AppData\Local\Temp\awtcipow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2384] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4524] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077ba6130 13 bytes {MOV R11, 0x7fedf019170; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077979020 13 bytes {MOV R11, 0x7fed8dd5120; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[2312] C:\Windows\system32\USER32.dll!GetWindowInfo 0000000077a98b40 13 bytes {MOV R11, 0x7fed9ee644c; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077ba6130 13 bytes {MOV R11, 0x7fedf019170; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077ba6130 13 bytes {MOV R11, 0x7fedf019170; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077bcbe00 7 bytes [48, B8, 34, 93, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077bcbe08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000077bcbf70 7 bytes [48, B8, 8C, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 0000000077bcbf78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bcbf90 7 bytes [48, B8, 08, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077bcbf98 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077bcbfa0 7 bytes [48, B8, 08, 93, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077bcbfa8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000077bcc020 7 bytes [48, B8, B0, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 0000000077bcc028 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 0000000077bcc030 7 bytes [48, B8, 44, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 0000000077bcc038 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077bcc060 7 bytes [48, B8, 98, 91, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077bcc068 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000077bcc100 7 bytes [48, B8, E0, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 0000000077bcc108 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077bcc280 7 bytes [48, B8, 5C, 90, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077bcc288 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000077bcccf0 7 bytes [48, B8, 2C, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 0000000077bcccf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bccd40 7 bytes [48, B8, 68, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077bccd48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077bcce90 7 bytes [48, B8, F4, 92, 36, 3F, 01] .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 0000000077bcce98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077d31401 2 bytes JMP 76cfb233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077d31419 2 bytes JMP 76cfb35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077d31431 2 bytes JMP 76d79149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077d3144a 2 bytes CALL 76cd4885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077d314dd 2 bytes JMP 76d78a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077d314f5 2 bytes JMP 76d78c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077d3150d 2 bytes JMP 76d78938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077d31525 2 bytes JMP 76d78d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077d3153d 2 bytes JMP 76cefcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077d31555 2 bytes JMP 76cf6907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077d3156d 2 bytes JMP 76d79201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077d31585 2 bytes JMP 76d78d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077d3159d 2 bytes JMP 76d788fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077d315b5 2 bytes JMP 76cefd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077d315cd 2 bytes JMP 76cfb2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077d316b2 2 bytes JMP 76d790c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5028] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077d316bd 2 bytes JMP 76d78891 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077d31401 2 bytes JMP 76cfb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077d31419 2 bytes JMP 76cfb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077d31431 2 bytes JMP 76d79149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077d3144a 2 bytes CALL 76cd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077d314dd 2 bytes JMP 76d78a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077d314f5 2 bytes JMP 76d78c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077d3150d 2 bytes JMP 76d78938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077d31525 2 bytes JMP 76d78d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077d3153d 2 bytes JMP 76cefcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077d31555 2 bytes JMP 76cf6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077d3156d 2 bytes JMP 76d79201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077d31585 2 bytes JMP 76d78d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077d3159d 2 bytes JMP 76d788fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077d315b5 2 bytes JMP 76cefd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077d315cd 2 bytes JMP 76cfb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077d316b2 2 bytes JMP 76d790c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077d316bd 2 bytes JMP 76d78891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077ba4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bcbec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bcbfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bcc0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bcc130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bcc1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bcc250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bcc700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bcc790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bcc800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bcccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bccd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c226a0 5 bytes JMP 0000000000020568 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d7fae8 5 bytes JMP 00000000753a2d80 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d7fc60 5 bytes JMP 00000000753a2910 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d7fe24 5 bytes JMP 00000000753a27a0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d7feb8 5 bytes JMP 00000000753a2ed0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d7ff84 5 bytes JMP 00000000753a2e90 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d80078 5 bytes JMP 00000000753a2ad0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d807ac 5 bytes JMP 00000000753a2f10 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077d80884 5 bytes JMP 00000000753a2f90 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d8092c 5 bytes JMP 00000000753a2c00 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077d81088 5 bytes JMP 00000000753a2f50 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077d81100 5 bytes JMP 00000000753a2fd0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077d9911f 5 bytes JMP 00000000753a3620 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e1ffe9 5 bytes JMP 00000000753a2c90 ---- User IAT/EAT - GMER 2.2 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefa86741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefa865f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefa865674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefa865e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefa867f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefa866a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefa866ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefa867b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefa867ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefa8678b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefa864fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefa865d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2908] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefa867584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- EOF - GMER 2.2 ----