GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-06 19:47:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: 02xlus3s.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kftcqaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1436] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Windows\system32\taskeng.exe[1132] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef85ddc88 5 bytes JMP 000007fff83d00d8 .text C:\Windows\system32\Dwm.exe[404] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef85dde10 5 bytes JMP 000007fff83d0110 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2084] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Windows\SysWOW64\ACEngSvr.exe[2236] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2532] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef6ba2460 5 bytes JMP 000007fefd2702d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2812] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef6bd96b0 6 bytes JMP 000007fefd270298 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2824] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Windows\System32\igfxpers.exe[2588] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3080] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Windows\vsnp2uvc.exe[3280] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdd074a0 11 bytes JMP 000007fffd270228 .text C:\Program Files\Elantech\ETDCtrl.exe[3296] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdd1bf10 7 bytes JMP 000007fffd270260 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077651401 2 bytes JMP 76ceb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077651419 2 bytes JMP 76ceb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077651431 2 bytes JMP 76d68fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007765144a 2 bytes CALL 76cc489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776514dd 2 bytes JMP 76d688c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776514f5 2 bytes JMP 76d68aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007765150d 2 bytes JMP 76d687ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077651525 2 bytes JMP 76d68b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007765153d 2 bytes JMP 76cdfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077651555 2 bytes JMP 76ce68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007765156d 2 bytes JMP 76d69089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077651585 2 bytes JMP 76d68bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007765159d 2 bytes JMP 76d6877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776515b5 2 bytes JMP 76cdfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776515cd 2 bytes JMP 76ceb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776516b2 2 bytes JMP 76d68f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776516bd 2 bytes JMP 76d68713 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Users\Ania\AppData\Local\Microsoft\BingSvc\BingSvc.exe[3904] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd230180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2300d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd230110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FA, FF] .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd230148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2301f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3916] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2301b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3500] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[1948] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1256] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4104] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b65ea5 5 bytes JMP 0000000173b53a00 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4112] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b99d0b 5 bytes JMP 0000000173b53990 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007728a460 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077293f80 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000772affa0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000772bf330 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000772e9a80 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772f9510 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077318830 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd282db0 5 bytes JMP 000007fffd270180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd2837d0 7 bytes JMP 000007fffd2700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd28a410 2 bytes JMP 000007fffd270110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd28a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd28aec0 6 bytes JMP 000007fffd270148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3089d0 8 bytes JMP 000007fffd2701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4188] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe30be40 8 bytes JMP 000007fffd2701b8 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000774a13ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 00000000774a1544 8 bytes [60, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000774a18ce 8 bytes [50, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 00000000774a1ba8 8 bytes [40, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000774a1d25 8 bytes [30, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000774a1e8f 8 bytes [20, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 00000000774a1f75 8 bytes [10, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 00000000774a2238 8 bytes [00, 6E, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000774a26e0 8 bytes [F0, 6D, F8, 7E, 00, 00, 00, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000774eda80 8 bytes {JMP QWORD [RIP-0x4bd61]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000774edc00 8 bytes {JMP QWORD [RIP-0x4bd77]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774edc30 8 bytes {JMP QWORD [RIP-0x4c6f2]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774edd50 8 bytes {JMP QWORD [RIP-0x4c1ae]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000774ede00 8 bytes {JMP QWORD [RIP-0x4c538]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774ee430 8 bytes {JMP QWORD [RIP-0x4bd56]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000774ee680 8 bytes {JMP QWORD [RIP-0x4c44e]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774eeee0 8 bytes {JMP QWORD [RIP-0x4cf71]} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074f213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074f2146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074f216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074f219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074f219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074f21a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076cc1efe 5 bytes JMP 0000000173b54b10 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW + 6 0000000076cc1f04 1 byte INT3 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076cc5b9d 5 bytes JMP 0000000173b554b0 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegSetValueExW + 6 0000000076cc5ba3 1 byte INT3 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076cd13f9 7 bytes JMP 0000000173b54e50 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076cdea45 7 bytes JMP 0000000173b54b00 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d68f4c 7 bytes JMP 0000000173b545c0 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d68fd1 5 bytes JMP 0000000173b54670 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d69327 5 bytes JMP 0000000173b545d0 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076001d29 5 bytes JMP 0000000173b54580 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076001dd7 5 bytes JMP 0000000173b54540 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076002ab1 5 bytes JMP 0000000173b54680 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076002d1d 5 bytes JMP 0000000173b54360 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f0d2b4 5 bytes JMP 0000000173b53b60 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f0d4ee 5 bytes JMP 0000000173b53b80 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075dd8a39 5 bytes JMP 0000000173b53a40 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075de4582 5 bytes JMP 0000000173b542e0 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075dfe587 5 bytes JMP 0000000173b54350 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075e208ab 5 bytes JMP 0000000173b53850 .text C:\Users\Ania\Desktop\02xlus3s.exe[5432] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075e37b24 5 bytes JMP 0000000173b542d0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880034f4f58] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread [5032:3940] 00000000715abe10 Thread [5032:3936] 00000000776bc557 Thread [5032:4124] 00000000719cc59c Thread [5032:4128] 00000000719cc59c Thread [5032:1676] 00000000719cc59c Thread [5032:1412] 00000000719cc59c Thread [5032:4360] 00000000719cc59c Thread [5032:4224] 00000000719cc59c Thread [5032:4348] 00000000719cc59c Thread [5032:5564] 0000000068cecf5c Thread [5032:5568] 0000000068d6a8c0 Thread [5032:5780] 0000000068d6a8c0 Thread [5032:5800] 00000000650daec5 Thread [5032:5808] 0000000076b7d854 Thread [5032:4724] 0000000068d6a8c0 Thread [5032:1600] 0000000073bc7850 Thread [5032:1772] 00000000719cc59c Thread [5032:5984] 00000000776d27c1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d60f3ffe9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d60f3ffe9 (not active ControlSet) ---- EOF - GMER 2.1 ----