GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-27 20:45:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: 0ldt0n1s.exe; Driver: C:\Users\Marta\AppData\Local\Temp\fwddikog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b6a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b73f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b8ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b9f350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bc9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bd9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bf8850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 11 bytes JMP 000007fefb8b0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1420] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdb7bf00 7 bytes JMP 000007fefb8b0260 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef78edc88 5 bytes JMP 000007fef76e00d8 .text C:\Windows\system32\Dwm.exe[1908] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef78ede10 5 bytes JMP 000007fef76e0110 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074d01efe 7 bytes JMP 00000000746c5200 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074d05b9d 7 bytes JMP 00000000746c5840 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074d113f9 7 bytes JMP 00000000746c5450 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074d1ea45 7 bytes JMP 00000000746c51f0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074da8ea4 7 bytes JMP 00000000746c4820 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074da8f29 5 bytes JMP 00000000746c4a00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074da9281 5 bytes JMP 00000000746c4830 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074951d29 5 bytes JMP 00000000746c4740 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074951dd7 5 bytes JMP 00000000746c4650 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074952ab1 5 bytes JMP 00000000746c4a10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074952d1d 5 bytes JMP 00000000746c4340 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000750ae96b 5 bytes JMP 00000000746c3910 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000750aeba5 5 bytes JMP 00000000746c3920 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074bf8a29 5 bytes JMP 00000000746c37d0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074c04572 5 bytes JMP 00000000746c42d0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074c1e567 5 bytes JMP 00000000746c4330 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074c407d7 5 bytes JMP 00000000746c3600 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074c57a5c 5 bytes JMP 00000000746c42a0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075125ea5 5 bytes JMP 00000000746c3790 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075159d0b 5 bytes JMP 00000000746c3720 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074701003 2 bytes [70, 74] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2544] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074701016 2 bytes [70, 74] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074d01efe 7 bytes JMP 00000000746c5200 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074d05b9d 7 bytes JMP 00000000746c5840 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074d113f9 7 bytes JMP 00000000746c5450 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074d1ea45 7 bytes JMP 00000000746c51f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074da8ea4 7 bytes JMP 00000000746c4820 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074da8f29 5 bytes JMP 00000000746c4a00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074da9281 5 bytes JMP 00000000746c4830 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074951d29 5 bytes JMP 00000000746c4740 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074951dd7 5 bytes JMP 00000000746c4650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074952ab1 5 bytes JMP 00000000746c4a10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074952d1d 5 bytes JMP 00000000746c4340 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075125ea5 5 bytes JMP 00000000746c3790 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075159d0b 5 bytes JMP 00000000746c3720 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000750ae96b 5 bytes JMP 00000000746c3910 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000750aeba5 5 bytes JMP 00000000746c3920 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074bf8a29 5 bytes JMP 00000000746c37d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074c04572 5 bytes JMP 00000000746c42d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074c1e567 5 bytes JMP 00000000746c4330 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074c407d7 5 bytes JMP 00000000746c3600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2588] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074c57a5c 5 bytes JMP 00000000746c42a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Program Files (x86)\AVG\Av\avgui.exe[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074d01efe 7 bytes JMP 00000000746c5200 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074d05b9d 7 bytes JMP 00000000746c5840 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074d113f9 7 bytes JMP 00000000746c5450 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074d1ea45 7 bytes JMP 00000000746c51f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074da8ea4 7 bytes JMP 00000000746c4820 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074da8f29 5 bytes JMP 00000000746c4a00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074da9281 5 bytes JMP 00000000746c4830 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074951d29 5 bytes JMP 00000000746c4740 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074951dd7 5 bytes JMP 00000000746c4650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074952ab1 5 bytes JMP 00000000746c4a10 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074952d1d 5 bytes JMP 00000000746c4340 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074bf8a29 5 bytes JMP 00000000746c37d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074c04572 5 bytes JMP 00000000746c42d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074c1e567 5 bytes JMP 00000000746c4330 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074c407d7 5 bytes JMP 00000000746c3600 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2616] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074c57a5c 5 bytes JMP 00000000746c42a0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b6a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b73f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b8ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b9f350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bc9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bd9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bf8850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3208] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b6a3e0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b73f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b8ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b9f350 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bc9aa0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bd9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bf8850 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 11 bytes JMP 000007fefb8b0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdb7bf00 7 bytes JMP 000007fefb8b0260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef3522460 4 bytes JMP 000007fefb8b02d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef35596b0 6 bytes JMP 000007fefb8b0298 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef78edc88 5 bytes JMP 000007fef78c00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3312] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef78ede10 5 bytes JMP 000007fef78c0110 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\conhost.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4704] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\Windows\system32\ctfmon.exe[4228] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5812] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5936] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5960] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[176] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076da51a0 5 bytes JMP 00000000000205f0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dcdd60 5 bytes JMP 0000000000020678 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dcde50 5 bytes JMP 00000000000200a0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dcdf70 5 bytes JMP 0000000000020018 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dcdfd0 5 bytes JMP 00000000000203d0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dce050 5 bytes JMP 00000000000201b0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dce0f0 5 bytes JMP 0000000000020128 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dce5a0 5 bytes JMP 0000000000020238 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dce630 1 byte JMP 00000000000202c0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076dce632 3 bytes {JMP 0xffffffff89251c90} .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076dce6a0 5 bytes JMP 0000000000020348 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dceb60 5 bytes JMP 0000000000020458 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dcebb0 5 bytes JMP 00000000000204e0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076e23080 5 bytes JMP 0000000000020568 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076b6a3e0 7 bytes JMP 000000006fff0228 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076b73f00 5 bytes JMP 000000006fff0180 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076b8ffd0 5 bytes JMP 000000006fff01b8 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076b9f350 5 bytes JMP 000000006fff0110 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076bc9aa0 7 bytes JMP 000000006fff00d8 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076bd9530 5 bytes JMP 000000006fff0148 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076bf8850 7 bytes JMP 000000006fff01f0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefb8c2db0 5 bytes JMP 000007fefb8b0180 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefb8c37d0 7 bytes JMP 000007fefb8b00d8 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefb8ca410 2 bytes JMP 000007fefb8b0110 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefb8ca413 2 bytes [FE, FF] .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefb8caec0 6 bytes JMP 000007fefb8b0148 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefbeb89e0 8 bytes JMP 000007fefb8b01f0 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefbebbe40 8 bytes JMP 000007fefb8b01b8 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 11 bytes JMP 000007fefb8b0228 .text C:\totalcmd\TOTALCMD64.EXE[6072] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdb7bf00 7 bytes JMP 000007fefb8b0260 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000076f7fad4 5 bytes JMP 00000000745c30e0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f7fc4c 5 bytes JMP 00000000745c2360 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f7fe10 5 bytes JMP 00000000745c21f0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000076f7fea4 5 bytes JMP 00000000745c27a0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f7ff70 5 bytes JMP 00000000745c2650 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000076f80064 5 bytes JMP 00000000745c2520 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f80798 5 bytes JMP 00000000745c28e0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f80870 5 bytes JMP 00000000745c2b70 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000076f80918 5 bytes JMP 00000000745c2e00 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000076f81074 5 bytes JMP 00000000745c2a30 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000076f810ec 5 bytes JMP 00000000745c2cc0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000076f98abb 5 bytes JMP 00000000745c2f80 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000770200fd 5 bytes JMP 00000000745c2e90 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074d01efe 7 bytes JMP 00000000746c5200 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074d05b9d 7 bytes JMP 00000000746c5840 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074d113f9 7 bytes JMP 00000000746c5450 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074d1ea45 7 bytes JMP 00000000746c51f0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074da8ea4 7 bytes JMP 00000000746c4820 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074da8f29 5 bytes JMP 00000000746c4a00 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074da9281 5 bytes JMP 00000000746c4830 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074951d29 5 bytes JMP 00000000746c4740 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074951dd7 5 bytes JMP 00000000746c4650 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074952ab1 5 bytes JMP 00000000746c4a10 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074952d1d 5 bytes JMP 00000000746c4340 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000750ae96b 5 bytes JMP 00000000746c3910 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000750aeba5 5 bytes JMP 00000000746c3920 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074c04572 5 bytes JMP 00000000746c42d0 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074c1e567 5 bytes JMP 00000000746c4330 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074c407d7 5 bytes JMP 00000000746c3600 .text C:\Users\Marta\Downloads\0ldt0n1s.exe[3008] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074c57a5c 5 bytes JMP 00000000746c42a0 ---- Files - GMER 2.2 ---- File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0016d4 62605 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\24FA.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\24FB.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\250B.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\250C.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\250D.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\250E.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\250F.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2510.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2511.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2512.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2513.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2524.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2525.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2526.tmp 28134 bytes File C:\Users\Marta\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2527.tmp 28134 bytes ---- EOF - GMER 2.2 ----