GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-21 21:44:10 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB Running: rmq2tm48.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\pxldrpog.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe2eb92c 7 bytes JMP 000007fefc520260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1896] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe3087a0 11 bytes JMP 000007fefc520228 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8dc4980 7 bytes JMP 000007fef8db00d8 .text C:\Windows\system32\Dwm.exe[2016] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8de9af4 7 bytes JMP 000007fef8db0110 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskhost.exe[2452] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3408] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxtray.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\hkcmd.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe2eb92c 7 bytes JMP 000007fefc520260 .text C:\Windows\System32\igfxpers.exe[3472] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe3087a0 11 bytes JMP 000007fefc520228 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3528] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe2eb92c 7 bytes JMP 000007fefc520260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3644] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe3087a0 11 bytes JMP 000007fefc520228 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3736] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3796] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 0000000000d08c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076fd8b9a 5 bytes JMP 00000000748d3770 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3824] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe2eb92c 7 bytes JMP 000007fefc520260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe3087a0 11 bytes JMP 000007fefc520228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3020] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3120] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3680] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076fd8b9a 5 bytes JMP 00000000748d3770 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4816] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[4656] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ce1401 2 bytes JMP 767eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ce1419 2 bytes JMP 767fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ce1431 2 bytes JMP 76878609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ce144a 2 bytes CALL 767d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ce14dd 2 bytes JMP 76877efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ce14f5 2 bytes JMP 768780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ce150d 2 bytes JMP 76877df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ce1525 2 bytes JMP 768781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ce153d 2 bytes JMP 767ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ce1555 2 bytes JMP 767fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ce156d 2 bytes JMP 768786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ce1585 2 bytes JMP 76878222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ce159d 2 bytes JMP 76877db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ce15b5 2 bytes JMP 767ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ce15cd 2 bytes JMP 767fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ce16b2 2 bytes JMP 76878584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ce16bd 2 bytes JMP 76877d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076fd8b9a 5 bytes JMP 00000000748d3770 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[5436] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[5444] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Windows\system32\ctfmon.exe[5740] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\amuleC\ed2k.exe[5560] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076fd8b9a 5 bytes JMP 00000000748d3770 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ce1401 2 bytes JMP 767eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ce1419 2 bytes JMP 767fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ce1431 2 bytes JMP 76878609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ce144a 2 bytes CALL 767d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ce14dd 2 bytes JMP 76877efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ce14f5 2 bytes JMP 768780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ce150d 2 bytes JMP 76877df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ce1525 2 bytes JMP 768781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ce153d 2 bytes JMP 767ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ce1555 2 bytes JMP 767fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ce156d 2 bytes JMP 768786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ce1585 2 bytes JMP 76878222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ce159d 2 bytes JMP 76877db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ce15b5 2 bytes JMP 767ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ce15cd 2 bytes JMP 767fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ce16b2 2 bytes JMP 76878584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ce16bd 2 bytes JMP 76877d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text C:\Program Files (x86)\Steam\Steam.exe[5760] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076fd8b9a 5 bytes JMP 00000000748d3770 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ce1401 2 bytes JMP 767eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ce1419 2 bytes JMP 767fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ce1431 2 bytes JMP 76878609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ce144a 2 bytes CALL 767d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ce14dd 2 bytes JMP 76877efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ce14f5 2 bytes JMP 768780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ce150d 2 bytes JMP 76877df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ce1525 2 bytes JMP 768781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ce153d 2 bytes JMP 767ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ce1555 2 bytes JMP 767fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ce156d 2 bytes JMP 768786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ce1585 2 bytes JMP 76878222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ce159d 2 bytes JMP 76877db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ce15b5 2 bytes JMP 767ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ce15cd 2 bytes JMP 767fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ce16b2 2 bytes JMP 76878584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ce16bd 2 bytes JMP 76877d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2372] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000072bc30e0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000072bc2360 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000072bc21f0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffb32243c} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000072bc27a0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000072bc2650 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000072bc2520 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000072bc28e0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000072bc2b70 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000072bc2e00 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000072bc2a30 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000072bc2cc0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000072bc2f80 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000072bc2e90 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ce1401 2 bytes JMP 767eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ce1419 2 bytes JMP 767fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ce1431 2 bytes JMP 76878609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ce144a 2 bytes CALL 767d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ce14dd 2 bytes JMP 76877efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ce14f5 2 bytes JMP 768780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ce150d 2 bytes JMP 76877df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ce1525 2 bytes JMP 768781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ce153d 2 bytes JMP 767ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ce1555 2 bytes JMP 767fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ce156d 2 bytes JMP 768786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ce1585 2 bytes JMP 76878222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ce159d 2 bytes JMP 76877db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ce15b5 2 bytes JMP 767ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ce15cd 2 bytes JMP 767fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ce16b2 2 bytes JMP 76878584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ce16bd 2 bytes JMP 76877d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgwdsvca.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[7524] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[6604] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[7444] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000071a730e0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000071a72360 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000071a721f0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffa1d243c} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000071a727a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000071a72650 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000071a72520 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000071a728e0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000071a72b70 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000071a72e00 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000071a72a30 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000071a72cc0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000071a72f80 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000071a72e90 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000770d59e3 5 bytes JMP 00000000748d3730 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3996] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000771157fc 5 bytes JMP 00000000748d36c0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc5200d8 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc520148 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc520180 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc520110 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc5201f0 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc5201b8 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe2eb92c 7 bytes JMP 000007fefc520260 .text C:\Windows\system32\taskmgr.exe[6564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe3087a0 11 bytes JMP 000007fefc520228 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000776d2350 5 bytes JMP 00000000000205f0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000776f0040 5 bytes JMP 0000000000020678 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776f0130 5 bytes JMP 00000000000200a0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776f0250 5 bytes JMP 0000000000020018 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776f02b0 5 bytes JMP 00000000000203d0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776f0330 5 bytes JMP 00000000000201b0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000776f03d0 5 bytes JMP 0000000000020128 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776f0880 5 bytes JMP 0000000000020238 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776f0910 5 bytes JMP 00000000000202c0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000776f0980 5 bytes JMP 0000000000020348 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776f0e40 5 bytes JMP 0000000000020458 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776f0e90 5 bytes JMP 00000000000204e0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 000000007774bef0 5 bytes JMP 0000000000020568 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007758cac0 7 bytes JMP 000000006fff0228 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!RegQueryValueExW 000000007759feb0 5 bytes JMP 000000006fff0180 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775b2af0 5 bytes JMP 000000006fff01b8 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775bf8d0 5 bytes JMP 000000006fff0110 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000775e9bb0 7 bytes JMP 000000006fff00d8 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775f9530 5 bytes JMP 000000006fff0148 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007761a2b0 7 bytes JMP 000000006fff01f0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc539610 7 bytes JMP 000007fefc3a00d8 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc53a330 7 bytes JMP 000007fefc3a0148 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc53b260 5 bytes JMP 000007fefc3a0180 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc54a720 5 bytes JMP 000007fefc3a0110 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefde883e0 8 bytes JMP 000007fefc3a01f0 .text C:\Users\Lenovo\Desktop\FRST64.exe[8336] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefde8bef0 8 bytes JMP 000007fefc3a01b8 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007789fa78 5 bytes JMP 0000000071a730e0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007789fbf0 5 bytes JMP 0000000071a72360 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007789fdb4 1 byte JMP 0000000071a721f0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 000000007789fdb6 3 bytes {JMP 0xfffffffffa1d243c} .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007789fe48 5 bytes JMP 0000000071a727a0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007789ff14 5 bytes JMP 0000000071a72650 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000778a0008 5 bytes JMP 0000000071a72520 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000778a073c 5 bytes JMP 0000000071a728e0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000778a0814 5 bytes JMP 0000000071a72b70 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000778a08bc 5 bytes JMP 0000000071a72e00 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000778a1018 5 bytes JMP 0000000071a72a30 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000778a1090 5 bytes JMP 0000000071a72cc0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000778b957f 5 bytes JMP 0000000071a72f80 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007793f625 5 bytes JMP 0000000071a72e90 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000767d2182 7 bytes JMP 00000000748d5160 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000767dc74f 7 bytes JMP 00000000748d57a0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000767eddba 7 bytes JMP 00000000748d5150 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000767ef18b 7 bytes JMP 00000000748d53b0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076878584 7 bytes JMP 00000000748d4780 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076878609 5 bytes JMP 00000000748d4960 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007687895f 5 bytes JMP 00000000748d4790 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1094 5 bytes JMP 00000000748d46a0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1142 5 bytes JMP 00000000748d45b0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea1bb2 5 bytes JMP 00000000748d4970 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea1d92 5 bytes JMP 00000000748d42a0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f5e84e 5 bytes JMP 00000000748d38c0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f5e86e 5 bytes JMP 00000000748d38b0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076fe4c48 5 bytes JMP 00000000748d4220 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fe6bdc 5 bytes JMP 00000000748d4290 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 000000007702092e 3 bytes JMP 00000000748d35b0 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW + 4 0000000077020932 1 byte [FD] .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000077037bec 5 bytes JMP 00000000748d4200 .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000074971003 2 bytes [97, 74] .text C:\Users\Lenovo\Downloads\gm\rmq2tm48.exe[8320] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000074971016 2 bytes [97, 74] ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- EOF - GMER 2.2 ----