GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-03 16:22:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST1000LM rev.2AR1 931,51GB Running: swisbn39.exe; Driver: C:\Users\Crassus\AppData\Local\Temp\fftoqpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1696] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077a1fab8 5 bytes JMP 00000000722d2b10 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1604] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a20048 5 bytes JMP 00000000722d2ad0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2072] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef693dc88 5 bytes JMP 000007fef67300d8 .text C:\Windows\system32\Dwm.exe[2568] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef693de10 5 bytes JMP 000007fef6730110 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files\Elantech\ETDCtrl.exe[3412] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3424] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3432] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Windows\System32\igfxpers.exe[3468] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3492] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3532] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3576] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Realtek\Audio\HDA\FMAPP.exe[3884] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3704] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2724] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2592] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff5f6d10 11 bytes JMP 000007fefd710228 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4044] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff60b4f0 7 bytes JMP 000007fefd710260 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3316] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 ? C:\Windows\system32\mssprxy.dll [3316] entry point in ".rdata" section 00000000739a71e6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3592] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4888] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007770a3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077713f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007772ffd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007773f3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077769c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077779710 5 bytes JMP 000000006fff0148 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077798ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7232f0 7 bytes JMP 000007fefd7100d8 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd72aa60 5 bytes JMP 000007fefd710180 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd72ac00 5 bytes JMP 000007fefd710110 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd739ac0 5 bytes JMP 000007fefd710148 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe648840 8 bytes JMP 000007fefd7101f0 .text C:\Program Files\Elantech\ETDIntelligent.exe[5032] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe64b9f0 8 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\ole32.DLL!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[1104] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes [50, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes [40, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, BE, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, BD, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\ole32.DLL!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[4456] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes [50, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes [40, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, 0E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, 0D, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\ole32.DLL!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[1460] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes {PUSH RAX; JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes {JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes {XOR [RSI], BH; JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes {AND [RSI], BH; JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes {ADC [RSI], BH; JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes {ADD [RSI], BH; JMP 0x85} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, 3D, E9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\ole32.DLL!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[2812] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes [50, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes [40, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, 2E, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, 2D, F4, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2144] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes [50, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes [40, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, 6E, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, 6D, EF, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6200] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes [50, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes [40, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, 5E, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes [F0, 5D, EA, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6804] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes {PUSH RAX; OUT DX, AL; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes {OUT DX, AL; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes {XOR DH, CH; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes {AND DH, CH; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes {ADC DH, CH; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes {ADD DH, CH; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes {IN EAX, DX; JMP 0x82} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000754a5e75 5 bytes JMP 0000000070202c10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000754d9cbb 5 bytes JMP 0000000070202ba0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076721401 2 bytes JMP 757cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076721419 2 bytes JMP 757cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076721431 2 bytes JMP 75849149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007672144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767214dd 2 bytes JMP 75848a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767214f5 2 bytes JMP 75848c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007672150d 2 bytes JMP 75848938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076721525 2 bytes JMP 75848d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007672153d 2 bytes JMP 757bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076721555 2 bytes JMP 757c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007672156d 2 bytes JMP 75849201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076721585 2 bytes JMP 75848d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007672159d 2 bytes JMP 758488fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767215b5 2 bytes JMP 757bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767215cd 2 bytes JMP 757cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767216b2 2 bytes JMP 758490c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767216bd 2 bytes JMP 75848891 C:\Windows\syswow64\kernel32.dll .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077821234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778212df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077821434 8 bytes {PUSH RAX; JMP 0x82} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778217be 8 bytes {JMP 0x82} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077821a94 8 bytes [30, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077821c15 8 bytes [20, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077821d7f 8 bytes [10, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077821e65 8 bytes [00, 4E, EB, 7E, 00, 00, 00, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000778220c8 8 bytes {JMP 0x82} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007786be00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007786bf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007786bfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007786c0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007786c180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007786c7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007786ca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007786d260 8 bytes {JMP QWORD [RIP-0x4b401]} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000729113cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007291146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000729116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000729119db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000729119fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072911a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000757a1eee 7 bytes JMP 0000000070203d10 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000757a5b85 7 bytes JMP 00000000702046b0 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000757b1409 7 bytes JMP 0000000070204050 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000757bea5d 7 bytes JMP 0000000070203d00 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758490c4 7 bytes JMP 00000000702037c0 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075849149 5 bytes JMP 0000000070203870 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 000000007584949f 5 bytes JMP 00000000702037d0 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000775c1e4c 5 bytes JMP 0000000070203780 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000775c1efa 5 bytes JMP 0000000070203740 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000775c2bdc 5 bytes JMP 0000000070203880 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000775c2e7e 5 bytes JMP 0000000070203560 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075d2e757 5 bytes JMP 0000000070202d70 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075d2e991 5 bytes JMP 0000000070202d80 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000756a8a29 5 bytes JMP 0000000070202c50 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000756b5645 5 bytes JMP 00000000702034e0 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000756cf61f 5 bytes JMP 0000000070203550 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000756f0867 5 bytes JMP 0000000070202a60 .text D:\Mich\fixit\swisbn39.exe[6924] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075707af4 5 bytes JMP 00000000702034d0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004f46838] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [779d0000] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [779d0000] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [779d0000] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [779d0000] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [779d0000] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\System32\CRYPT32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\SHELL32.dll[ntdll.dll!NtClose] [779d0010] IAT C:\Windows\system32\AUDIODG.EXE[8976] @ C:\Windows\system32\WINMM.dll[ntdll.dll!NtClose] [779d0010] ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [2096:3204] 000007fef5ec9688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689dc48669 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f@bcb1f3f48214 0x7E 0x9E 0x71 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f@8400d246ca96 0x78 0xAB 0xC1 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f@48592911668d 0x38 0xE0 0xBF 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f@9401c27e0704 0x7C 0xF1 0xCF 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\689423f0ef8f@7802f8d95bc0 0xC5 0xFA 0xD4 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dd1aece Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0xEB 0x21 0x53 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689dc48669 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f@bcb1f3f48214 0x7E 0x9E 0x71 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f@8400d246ca96 0x78 0xAB 0xC1 0x26 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f@48592911668d 0x38 0xE0 0xBF 0x31 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f@9401c27e0704 0x7C 0xF1 0xCF 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\689423f0ef8f@7802f8d95bc0 0xC5 0xFA 0xD4 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dd1aece (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0xEB 0x21 0x53 ... ---- EOF - GMER 2.2 ----