GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-17 09:10:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: s1qhoygi.exe; Driver: C:\Users\Marta\AppData\Local\Temp\fwddikog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000077a8a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a93f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077aaffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077abf350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ae9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077af9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b18850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc620180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc620110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc620148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6201b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefcd47490 11 bytes JMP 000007fefc620228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1576] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefcd5bf00 7 bytes JMP 000007fefc620260 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc620180 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6200d8 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc620110 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc620148 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6201f0 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6201b8 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef7f6dc88 5 bytes JMP 000007fef7f400d8 .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef7f6de10 5 bytes JMP 000007fef7f40110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000077a8a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a93f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077aaffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077abf350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ae9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077af9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b18850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc610180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6100d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc610110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FD, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc610148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6101b8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077371efe 7 bytes JMP 0000000075123dd0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077375b9d 7 bytes JMP 00000000751240e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000773813f9 7 bytes JMP 0000000075123f10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007738ea45 7 bytes JMP 0000000075123dc0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077418ea4 7 bytes JMP 0000000075123b50 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077418f29 5 bytes JMP 0000000075123c00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077419281 5 bytes JMP 0000000075123b60 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000776e1d29 5 bytes JMP 0000000075123b00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000776e1dd7 5 bytes JMP 0000000075123ab0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000776e2ab1 5 bytes JMP 0000000075123c10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000776e2d1d 5 bytes JMP 0000000075123890 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007622e96b 5 bytes JMP 00000000751233e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007622eba5 5 bytes JMP 00000000751233f0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076378a29 5 bytes JMP 0000000075123370 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076384572 5 bytes JMP 0000000075123810 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007639e567 5 bytes JMP 0000000075123880 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000763c07d7 5 bytes JMP 0000000075123280 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000763d7a5c 5 bytes JMP 0000000075123800 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000758a5ea5 5 bytes JMP 0000000075123320 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2212] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000758d9d0b 5 bytes JMP 00000000751232b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077371efe 7 bytes JMP 0000000075123dd0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077375b9d 7 bytes JMP 00000000751240e0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000773813f9 7 bytes JMP 0000000075123f10 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007738ea45 7 bytes JMP 0000000075123dc0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077418ea4 7 bytes JMP 0000000075123b50 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077418f29 5 bytes JMP 0000000075123c00 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077419281 5 bytes JMP 0000000075123b60 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000776e1d29 5 bytes JMP 0000000075123b00 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000776e1dd7 5 bytes JMP 0000000075123ab0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000776e2ab1 5 bytes JMP 0000000075123c10 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000776e2d1d 5 bytes JMP 0000000075123890 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076378a29 5 bytes JMP 0000000075123370 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076384572 5 bytes JMP 0000000075123810 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007639e567 5 bytes JMP 0000000075123880 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000763c07d7 5 bytes JMP 0000000075123280 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000763d7a5c 5 bytes JMP 0000000075123800 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007622e96b 5 bytes JMP 00000000751233e0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007622eba5 5 bytes JMP 00000000751233f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000758a5ea5 5 bytes JMP 0000000075123320 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000758d9d0b 5 bytes JMP 00000000751232b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000777d1401 2 bytes JMP 7739b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000777d1419 2 bytes JMP 7739b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000777d1431 2 bytes JMP 77418f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000777d144a 2 bytes CALL 7737489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777d14dd 2 bytes JMP 77418822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777d14f5 2 bytes JMP 774189f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000777d150d 2 bytes JMP 77418718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000777d1525 2 bytes JMP 77418ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000777d153d 2 bytes JMP 7738fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000777d1555 2 bytes JMP 773968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000777d156d 2 bytes JMP 77418fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000777d1585 2 bytes JMP 77418b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000777d159d 2 bytes JMP 774186dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777d15b5 2 bytes JMP 7738fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777d15cd 2 bytes JMP 7739b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777d16b2 2 bytes JMP 77418ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2244] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777d16bd 2 bytes JMP 77418671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000077a8a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a93f00 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077aaffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077abf350 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ae9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077af9530 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b18850 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc620180 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6200d8 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc620110 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FE, FF] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc620148 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefcd47490 11 bytes JMP 000007fefc620228 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2260] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefcd5bf00 7 bytes JMP 000007fefc620260 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077371efe 7 bytes JMP 0000000075123dd0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077375b9d 7 bytes JMP 00000000751240e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000773813f9 7 bytes JMP 0000000075123f10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007738ea45 7 bytes JMP 0000000075123dc0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077418ea4 7 bytes JMP 0000000075123b50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077418f29 5 bytes JMP 0000000075123c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077419281 5 bytes JMP 0000000075123b60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000776e1d29 5 bytes JMP 0000000075123b00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000776e1dd7 5 bytes JMP 0000000075123ab0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000776e2ab1 5 bytes JMP 0000000075123c10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000776e2d1d 5 bytes JMP 0000000075123890 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000758a5ea5 5 bytes JMP 0000000075123320 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000758d9d0b 5 bytes JMP 00000000751232b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007622e96b 5 bytes JMP 00000000751233e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007622eba5 5 bytes JMP 00000000751233f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076378a29 5 bytes JMP 0000000075123370 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076384572 5 bytes JMP 0000000075123810 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007639e567 5 bytes JMP 0000000075123880 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000763c07d7 5 bytes JMP 0000000075123280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2268] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000763d7a5c 5 bytes JMP 0000000075123800 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077371efe 7 bytes JMP 0000000075123dd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077375b9d 7 bytes JMP 00000000751240e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000773813f9 7 bytes JMP 0000000075123f10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007738ea45 7 bytes JMP 0000000075123dc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077418ea4 7 bytes JMP 0000000075123b50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077418f29 5 bytes JMP 0000000075123c00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077419281 5 bytes JMP 0000000075123b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000776e1d29 5 bytes JMP 0000000075123b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000776e1dd7 5 bytes JMP 0000000075123ab0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000776e2ab1 5 bytes JMP 0000000075123c10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000776e2d1d 5 bytes JMP 0000000075123890 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076378a29 5 bytes JMP 0000000075123370 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076384572 5 bytes JMP 0000000075123810 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007639e567 5 bytes JMP 0000000075123880 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000763c07d7 5 bytes JMP 0000000075123280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000763d7a5c 5 bytes JMP 0000000075123800 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007622e96b 5 bytes JMP 00000000751233e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007622eba5 5 bytes JMP 00000000751233f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000758a5ea5 5 bytes JMP 0000000075123320 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2332] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000758d9d0b 5 bytes JMP 00000000751232b0 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc620180 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6200d8 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc620110 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FE, FF] .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc620148 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefcd47490 11 bytes JMP 000007fefc620228 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefcd5bf00 7 bytes JMP 000007fefc620260 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6201f0 .text C:\Windows\system32\DllHost.exe[2496] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6201b8 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2196] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\ProgramData\TVersity\Media Server\MediaServer.exe[3768] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.5\ToolbarUpdater.exe[3860] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000077a8a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077a93f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077aaffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077abf350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077ae9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077af9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077b18850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc600180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6000d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc600110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FC, FF] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc600148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefcd47490 11 bytes JMP 000007fefc600228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefcd5bf00 7 bytes JMP 000007fefc600260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6001f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6001b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef75a2460 5 bytes JMP 000007fefc6002d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3264] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef75d96b0 6 bytes JMP 000007fefc600298 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4332] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc632db0 5 bytes JMP 000007fefc620180 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc6337d0 7 bytes JMP 000007fefc6200d8 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc63a410 2 bytes JMP 000007fefc620110 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefc63a413 2 bytes [FE, FF] .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc63aec0 6 bytes JMP 000007fefc620148 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd8589e0 8 bytes JMP 000007fefc6201f0 .text C:\Windows\system32\ctfmon.exe[4248] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd85be40 8 bytes JMP 000007fefc6201b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5420] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bc51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077bedd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077bede50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bedf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bedfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bee050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bee0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bee5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bee630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077bee632 3 bytes {JMP 0xffffffff88431c90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077bee6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077beeb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077beebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c43080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5520] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5180] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077d9fad4 5 bytes JMP 00000000742130e0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077d9fc4c 5 bytes JMP 0000000074212360 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077d9fe10 5 bytes JMP 00000000742121f0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077d9fea4 5 bytes JMP 00000000742127a0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077d9ff70 5 bytes JMP 0000000074212650 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077da0064 5 bytes JMP 0000000074212520 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077da0798 5 bytes JMP 00000000742128e0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077da0870 5 bytes JMP 0000000074212b70 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077da0918 5 bytes JMP 0000000074212e00 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077da1074 5 bytes JMP 0000000074212a30 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077da10ec 5 bytes JMP 0000000074212cc0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077db8abb 5 bytes JMP 0000000074212f80 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e400fd 5 bytes JMP 0000000074212e90 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077371efe 7 bytes JMP 0000000075123dd0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077375b9d 7 bytes JMP 00000000751240e0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000773813f9 7 bytes JMP 0000000075123f10 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007738ea45 7 bytes JMP 0000000075123dc0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077418ea4 7 bytes JMP 0000000075123b50 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077418f29 5 bytes JMP 0000000075123c00 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077419281 5 bytes JMP 0000000075123b60 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000776e1d29 5 bytes JMP 0000000075123b00 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000776e1dd7 5 bytes JMP 0000000075123ab0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000776e2ab1 5 bytes JMP 0000000075123c10 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000776e2d1d 5 bytes JMP 0000000075123890 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007622e96b 5 bytes JMP 00000000751233e0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007622eba5 5 bytes JMP 00000000751233f0 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076378a29 5 bytes JMP 0000000075123370 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076384572 5 bytes JMP 0000000075123810 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007639e567 5 bytes JMP 0000000075123880 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000763c07d7 5 bytes JMP 0000000075123280 .text C:\Users\Marta\Downloads\s1qhoygi.exe[3640] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000763d7a5c 5 bytes JMP 0000000075123800 ---- EOF - GMER 2.2 ----