GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-07 09:18:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD10EZEX-00BN5A0 rev.01.01A01 931,51GB Running: zejovh1y.exe; Driver: C:\Users\nGiB\AppData\Local\Temp\kxldqpog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\Dwm.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\Explorer.EXE[2868] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2912] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2944] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073b91a22 2 bytes [B9, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073b91ad0 2 bytes [B9, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073b91b08 2 bytes [B9, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073b91bba 2 bytes [B9, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073b91bda 2 bytes [B9, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f21465 2 bytes [F2, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f214bb 2 bytes [F2, 74] .text ... * 2 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\WUDFHost.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\sppsvc.exe[3804] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[1500] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f21465 2 bytes [F2, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f214bb 2 bytes [F2, 74] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [1300] entry point in ".rdata" section 00000000748071e6 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[3572] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076801bb2 5 bytes JMP 000000006a378fe6 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076801d92 5 bytes JMP 000000006a379050 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f21465 2 bytes [F2, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f214bb 2 bytes [F2, 74] .text ... * 2 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\nvvsvc.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe[5012] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text D:\Origin\OriginWebHelperService.exe[4984] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076d35b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076d614a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076d61830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076d61de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076db75b0 5 bytes JMP 0000000000020568 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f0fac8 5 bytes JMP 00000000729130e0 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc40 5 bytes JMP 0000000072912360 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe04 5 bytes JMP 00000000729121f0 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f0fe98 5 bytes JMP 00000000729127a0 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f0ff64 5 bytes JMP 0000000072912650 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f10058 5 bytes JMP 0000000072912520 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f1078c 5 bytes JMP 00000000729128e0 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f10864 5 bytes JMP 0000000072912b70 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f1090c 5 bytes JMP 0000000072912e00 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f11068 5 bytes JMP 0000000072912a30 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f110e0 5 bytes JMP 0000000072912cc0 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f296ef 5 bytes JMP 0000000072912f80 .text D:\zejovh1y.exe[4040] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000076fafded 5 bytes JMP 0000000072912e90 ---- Files - GMER 2.2 ---- File C:\Users\nGiB\AppData\Local\Temp\mozilla-temp-files 0 bytes File C:\Users\nGiB\AppData\Local\Temp\tmp58A0.tmp 0 bytes File C:\Users\nGiB\AppData\Roaming\Mozilla\Firefox\Profiles\g053k8wq.default\sessionstore-backups\recovery.js (size mismatch) 16608/17371 bytes executable File C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf (size mismatch) 20520/20532 bytes executable File C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf (size mismatch) 34362/34628 bytes executable ---- EOF - GMER 2.2 ----