GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-09 21:41:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006b WDC_____ rev.01.0 931,51GB Running: rmq2tm48.exe; Driver: C:\Users\GOKUIS~1\AppData\Local\Temp\awtcipow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2876] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076391401 2 bytes JMP 74d1b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076391419 2 bytes JMP 74d1b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076391431 2 bytes JMP 74d99149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007639144a 2 bytes CALL 74cf4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763914dd 2 bytes JMP 74d98a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763914f5 2 bytes JMP 74d98c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007639150d 2 bytes JMP 74d98938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076391525 2 bytes JMP 74d98d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007639153d 2 bytes JMP 74d0fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076391555 2 bytes JMP 74d16907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007639156d 2 bytes JMP 74d99201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076391585 2 bytes JMP 74d98d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007639159d 2 bytes JMP 74d988fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763915b5 2 bytes JMP 74d0fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763915cd 2 bytes JMP 74d1b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763916b2 2 bytes JMP 74d990c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[1088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763916bd 2 bytes JMP 74d98891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\igfxEM.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4560] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076391401 2 bytes JMP 74d1b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076391419 2 bytes JMP 74d1b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076391431 2 bytes JMP 74d99149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007639144a 2 bytes CALL 74cf4885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763914dd 2 bytes JMP 74d98a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763914f5 2 bytes JMP 74d98c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007639150d 2 bytes JMP 74d98938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076391525 2 bytes JMP 74d98d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007639153d 2 bytes JMP 74d0fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076391555 2 bytes JMP 74d16907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007639156d 2 bytes JMP 74d99201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076391585 2 bytes JMP 74d98d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007639159d 2 bytes JMP 74d988fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763915b5 2 bytes JMP 74d0fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763915cd 2 bytes JMP 74d1b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763916b2 2 bytes JMP 74d990c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763916bd 2 bytes JMP 74d98891 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076391401 2 bytes JMP 74d1b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076391419 2 bytes JMP 74d1b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076391431 2 bytes JMP 74d99149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007639144a 2 bytes CALL 74cf4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763914dd 2 bytes JMP 74d98a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763914f5 2 bytes JMP 74d98c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007639150d 2 bytes JMP 74d98938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076391525 2 bytes JMP 74d98d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007639153d 2 bytes JMP 74d0fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076391555 2 bytes JMP 74d16907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007639156d 2 bytes JMP 74d99201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076391585 2 bytes JMP 74d98d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007639159d 2 bytes JMP 74d988fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763915b5 2 bytes JMP 74d0fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763915cd 2 bytes JMP 74d1b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763916b2 2 bytes JMP 74d990c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3940] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763916bd 2 bytes JMP 74d98891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[688] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec4170 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebec0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eec0d0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eec130 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eec1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec250 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec700 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec790 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec800 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eeccc0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecd10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f426a0 5 bytes JMP 0000000000020568 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000072db2d80 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000072db2910 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000072db27a0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000072db2ed0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000072db2e90 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000072db2ad0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000072db2f10 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000072db2f90 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000072db2c00 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000072db2f50 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000072db2fd0 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000072db3620 .text C:\Users\GOKUiSOUNF\Desktop\rmq2tm48.exe[6124] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ffe9 5 bytes JMP 0000000072db2c90 ---- User IAT/EAT - GMER 2.2 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef196741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef1965f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef1965674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef1965e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef1967f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef1966a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef1966ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef1967b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef1967ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef19678b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef1964fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef1965d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2808] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef1967584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [4704:4824] 000007fedb2d9688 ---- EOF - GMER 2.2 ----