GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-25 10:20:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: cuif39hx.exe; Driver: C:\Users\Karol\AppData\Local\Temp\pxldqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1532] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001001a091c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 00000001001a0048 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001001a02ee .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001001a04b2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001001a09fe .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 00000001001a0ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 00000001001a012a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 00000001001a0758 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 00000001001a0676 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001001a03d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 00000001001a0594 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 00000001001a083a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 00000001001a020c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001002e059e .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 00000001001a0f52 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 00000001002e0210 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 00000001002e0048 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a23a9d1} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 00000001001a0ca6 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001002e03d8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 00000001002e012c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001002e02f4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 00000001001a0e6e .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8934da4 7 bytes JMP 000007fff89200d8 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8959af4 7 bytes JMP 000007fff8920110 .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1936] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\Explorer.EXE[2020] C:\Windows\system32\WS2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[2020] C:\Windows\system32\WS2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[2020] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[2020] C:\Windows\system32\WS2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001000a091c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 00000001000a0048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001000a02ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001000a04b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001000a09fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 00000001000a0ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 00000001000a012a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 00000001000a0758 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 00000001000a0676 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001000a03d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 00000001000a0594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 00000001000a083a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 00000001000a020c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 00000001000a0f52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 0000000100130210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 0000000100130048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a08a9d1} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 00000001000a0ca6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001001303d8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 000000010013012c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001001302f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 00000001000a0e6e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1352] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001001304bc .text C:\Windows\System32\igfxtray.exe[2400] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxtray.exe[2400] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxtray.exe[2400] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxtray.exe[2400] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\hkcmd.exe[2408] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\hkcmd.exe[2408] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\hkcmd.exe[2408] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\hkcmd.exe[2408] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxpers.exe[2444] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2468] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2532] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[2668] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2876] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2924] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\ws2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\ws2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2968] C:\Windows\system32\ws2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe647490 11 bytes JMP 000007fffdbe0228 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe65bf00 7 bytes JMP 000007fffdbe0260 .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\WS2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\WS2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\ScanToPCActivationApp.exe[2976] C:\Windows\system32\WS2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3064] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077aaefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ad99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077ae94d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077ae9640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b0a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\WS2_32.dll!connect + 1 000007feffe345c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\WS2_32.dll!getsockname 000007feffe39480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feffe5e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2232] C:\Windows\system32\WS2_32.dll!getpeername 000007feffe5e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010027091c .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100270048 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001002702ee .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001002704b2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001002709fe .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100270ae0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010027012a .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100270758 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100270676 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001002703d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100270594 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010027083a .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010027020c .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 000000010028059e .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100270f52 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 0000000100280210 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 0000000100280048 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a1da9d1} .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100270ca6 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001002803d8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 000000010028012c .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001002802f4 .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100270e6e .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000755c1a22 2 bytes [5C, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000755c1ad0 2 bytes [5C, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000755c1b08 2 bytes [5C, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000755c1bba 2 bytes [5C, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000755c1bda 2 bytes [5C, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076091465 2 bytes [09, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760914bb 2 bytes [09, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001000a091c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 00000001000a0048 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001000a02ee .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001000a04b2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001000a09fe .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 00000001000a0ae0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010003004c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 00000001000a012a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 00000001000a0758 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 00000001000a0676 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001000a03d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 00000001000a0594 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 00000001000a083a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 00000001000a020c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001000b059e .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 00000001000a0f52 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 00000001000b0210 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 00000001000b0048 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a00a9d1} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 00000001000a0ca6 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001000b03d8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 00000001000b012c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001000b02f4 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 00000001000a0e6e .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001001d091c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 00000001001d0048 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001001d02ee .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001001d04b2 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001001d09fe .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 00000001001d0ae0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 00000001001d012a .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 00000001001d0758 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 00000001001d0676 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 00000001001d0594 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 00000001001d083a .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 00000001001d020c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001001e04bc .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 00000001001d0f52 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 00000001001e0210 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 00000001001e0048 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a13a9d1} .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 00000001001d0ca6 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001001e03d8 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 00000001001e012c .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001001e02f4 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 00000001001d0e6e .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 00000000766f6beb 1 byte JMP 00000001001e0680 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3304] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 71 00000000766f6bed 5 bytes {JMP 0xffffffff89ae9a95} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a1fa9d1} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001002a0762 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3572] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 00000000766f6beb 7 bytes JMP 00000001002a059e .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\Program Files (x86)\Ad Muncher\AdMunch64.exe[3624] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Windows\SysWOW64\RunDll32.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076091465 2 bytes [09, 76] .text C:\Windows\SysWOW64\RunDll32.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760914bb 2 bytes [09, 76] .text ... * 2 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbf3460 7 bytes JMP 000007fffdbe00d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbf90b0 5 bytes JMP 000007fffdbe0180 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbf9250 5 bytes JMP 000007fffdbe0110 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbfb7b0 6 bytes JMP 000007fffdbe0148 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefee989e0 8 bytes JMP 000007fffdbe01f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2460] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefee9be40 8 bytes JMP 000007fffdbe01b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010009091c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100090048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001000902ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001000904b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001000909fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100090ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010009012a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100090758 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100090676 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001000903d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100090594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010009083a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010009020c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100090f52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 00000001000a0210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 00000001000a0048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff89ffa9d1} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100090ca6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001000a03d8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 00000001000a012c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001000a02f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100090e6e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[836] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001000a04bc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010015091c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100150048 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001001502ee .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001001504b2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001001509fe .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100150ae0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010015012a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100150758 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100150676 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001001503d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100150594 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010015083a .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010015020c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076091465 2 bytes [09, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760914bb 2 bytes [09, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 0000000100160762 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100150f52 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 0000000100160210 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 0000000100160048 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a0ba9d1} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100150ca6 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001001603d8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 000000010016012c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001001602f4 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100150e6e .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4272] C:\Windows\syswow64\urlmon.dll!URLOpenPullStreamW + 69 00000000766f6beb 7 bytes JMP 000000010016059e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010018091c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100180048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001001802ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001001804b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001001809fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100180ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 00000001000b004c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010018012a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100180758 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100180676 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001001803d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100180594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010018083a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010018020c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100180f52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 0000000100190210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 0000000100190048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a0ea9d1} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100180ca6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001001903d8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 000000010019012c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001001902f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100180e6e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3708] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001001904bc .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 000000010030091c .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d8fdf4 5 bytes JMP 0000000100300048 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d8fe88 5 bytes JMP 00000001003002ee .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077d8ffe4 5 bytes JMP 00000001003004b2 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001003009fe .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077d90048 5 bytes JMP 0000000100300ae0 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077d90064 5 bytes JMP 000000010002004c .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077d9077c 5 bytes JMP 000000010030012a .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077d9086c 5 bytes JMP 0000000100300758 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077d90884 5 bytes JMP 0000000100300676 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077d90dd4 5 bytes JMP 00000001003003d0 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d91900 5 bytes JMP 0000000100300594 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077d91bc4 5 bytes JMP 000000010030083a .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077d91d50 5 bytes JMP 000000010030020c .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000760a524f 7 bytes JMP 0000000100300f52 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760a53d0 7 bytes JMP 0000000100310210 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000760a5677 1 byte JMP 0000000100310048 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000760a5679 5 bytes {JMP 0xffffffff8a26a9d1} .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000760a589a 7 bytes JMP 0000000100300ca6 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000760a5a1d 7 bytes JMP 00000001003103d8 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000760a5c9b 7 bytes JMP 000000010031012c .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000760a5d87 7 bytes JMP 00000001003102f4 .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000760a7240 7 bytes JMP 0000000100300e6e .text C:\Users\Karol\Downloads\cuif39hx.exe[3588] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075de15ea 7 bytes JMP 00000001003104bc ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2308:2312] 00000000013f1c24 Thread C:\Windows\SysWOW64\ntdll.dll [2308:5164] 0000000069afe54e Thread C:\Windows\SysWOW64\ntdll.dll [2308:5628] 0000000064f8eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2308:5632] 0000000064f8eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2308:5636] 0000000064f8eec8 Thread C:\Windows\SysWOW64\ntdll.dll [2308:6032] 0000000064ea319b Thread C:\Windows\SysWOW64\ntdll.dll [2308:6072] 0000000069017019 Thread C:\Windows\SysWOW64\ntdll.dll [2308:4332] 0000000072941854 Thread C:\Windows\SysWOW64\ntdll.dll [3204:3208] 00000000013f1c24 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4188:1592] 000007fefbf12a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4188:4836] 000007fee77dd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4188:4984] 000007feed5f5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e5431f861d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e5431f861d@4844f72a495d 0xFE 0x6A 0x22 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e5431f861d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e5431f861d@4844f72a495d 0xFE 0x6A 0x22 0x95 ... ---- EOF - GMER 2.1 ----