GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-10 20:20:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD10EZEX-00RKKA0 rev.80.00A80 931,51GB Running: 3bmjkvs0.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\Av\avgfws.exe[1916] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\AVG\Av\avgfws.exe[1916] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgidsagent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\AVG\Av\avgidsagent.exe[1936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\nvvsvc.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006e901a22 2 bytes [90, 6E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006e901ad0 2 bytes [90, 6E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006e901b08 2 bytes [90, 6E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006e901bba 2 bytes [90, 6E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006e901bda 2 bytes [90, 6E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\svchost.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\ToolbarUpdater.exe[2980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.4\loggingserver.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\conhost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\taskhost.exe[2536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\Dwm.exe[3612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\Explorer.EXE[3652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\SearchIndexer.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!GetMenu + 412 00000000763551dd 7 bytes JMP 000000011003b3d0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!PeekMessageA + 407 000000007635610b 7 bytes JMP 000000011003b780 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 000000007635c6c1 7 bytes JMP 000000011003b340 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 000000007639fc98 7 bytes JMP 000000011003b6d0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 000000007639fcd1 7 bytes JMP 000000011003b570 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 000000007639fcf5 7 bytes JMP 000000011003b680 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\AVG\Av\avgui.exe[4168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\svchost.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\System32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Windows\SysWOW64\ctfmon.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\DllHost.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\svchost.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\system32\svchost.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text D:\Program Files\Steam\Steam.exe[1776] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text D:\Program Files\Steam\bin\steamwebhelper.exe[5996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 000000016e9122f0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f0f9a1 7 bytes {MOV EDX, 0x5c32e8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000076f0fa1d 7 bytes {MOV EDX, 0x5c31a8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000076f0fb35 7 bytes {MOV EDX, 0x5c3168; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f0fbe5 7 bytes {MOV EDX, 0x5c3328; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f0fc15 7 bytes {MOV EDX, 0x5c3268; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f0fc2d 7 bytes {MOV EDX, 0x5c3128; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 12 bytes JMP 000000016e9122f0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f0fc75 7 bytes {MOV EDX, 0x5c3428; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f0fcf5 7 bytes {MOV EDX, 0x5c33a8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f0fd0d 7 bytes {MOV EDX, 0x5c3368; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f0fd59 7 bytes {MOV EDX, 0x5c3068; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 000000016e912180 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f0fe51 7 bytes {MOV EDX, 0x5c30a8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 000000016e9125b0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 000000016e912590 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 000000016e9124b0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f100a9 7 bytes {MOV EDX, 0x5c3028; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 000000016e9125d0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 000000016e912610 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 000000016e912650 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000076f1100d 7 bytes {MOV EDX, 0x5c31e8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 000000016e9125f0 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f110b5 7 bytes {MOV EDX, 0x5c32a8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 000000016e912630 .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f1112d 7 bytes {MOV EDX, 0x5c3228; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f11331 7 bytes {MOV EDX, 0x5c30e8; JMP RDX} .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text D:\Program Files\Steam\bin\steamwebhelper.exe[3100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 16 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076d613e0 16 bytes [50, 48, B8, A8, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 0000000076d61550 16 bytes [50, 48, B8, 00, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d61570 48 bytes [50, 48, B8, 7C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076d615b0 16 bytes [50, 48, B8, CC, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 0000000076d61600 19 bytes [50, 48, B8, 24, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 4 0000000076d61614 12 bytes [19, DF, 3F, 01, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d61640 16 bytes [50, 48, B8, 0C, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 0000000076d616e0 16 bytes [50, 48, B8, 54, 1A, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d61860 16 bytes [50, 48, B8, D0, 17, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 0000000076d622d0 16 bytes [50, 48, B8, A0, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d62320 16 bytes [50, 48, B8, DC, 19, DF, 3F, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000076d62470 16 bytes [50, 48, B8, 68, 1A, DF, 3F, ...] .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 0000000076ec00a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0018 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec03d0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec01b0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000076ec0128 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0238 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02c0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000076ec0348 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec0458 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec04e0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef67b741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef67b5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef67b5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef67b5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef67b7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef67b6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef67b6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef67b7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef67b7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef67b78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef67b4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef67b5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3004] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef67b7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee898ab2c] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee898b4a8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee898b8f8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee898b4c0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6364] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee898b4a0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6720] @ C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\PepperFlash\pepflashplayer.dll[KERNEL32.dll!CreateNamedPipeW] [b6bf0030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee898ab2c] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee898b4a8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee898b8f8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee898b4c0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5880] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee898b4a0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee898ab2c] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee898b4a8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee898b8f8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee898b4c0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee898b4a0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fee898ab2c] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fee898b4a8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fee898b8f8] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fee898b4c0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4640] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fee898b4a0] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.109\chrome_child.dll ---- EOF - GMER 2.1 ----