GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-28 13:44:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Samsung_ rev.DXT0 111,79GB Running: jukrdxmo.exe; Driver: C:\Users\rwi~1\AppData\Local\Temp\kwrcypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Windows\SysWOW64\DNTUS26.EXE[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Windows\SysWOW64\DNTUS26.EXE[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2696] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Windows\system32\nvwmi64.exe[2712] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3068] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000072741b41 2 bytes [74, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3068] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000072741be8 2 bytes [74, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3068] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000072741c20 2 bytes [74, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3068] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000072741cd2 2 bytes [74, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3068] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000072741cf2 2 bytes [74, 72] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4980] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 34] .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 34] .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 34] .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 34] .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 34] .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Windows\dwrcs\DWRCST.exe[4408] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[1200] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[3624] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2024] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 21] .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 21] .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 21] .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 21] .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 21] .text C:\Windows\System32\rundll32.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 3A, 02] .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 3A, 02] .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 3A, 02] .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 3A, 02] .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 3A, 02] .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef060dc88 5 bytes JMP 000007fff05e00d8 .text C:\Windows\system32\Dwm.exe[3020] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef060de10 5 bytes JMP 000007fff05e0110 .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 05, 02] .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 05, 02] .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 05, 02] .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 05, 02] .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 05, 02] .text C:\Windows\Explorer.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 03, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4796] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 09, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 09, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 09, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 09, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 09, 02] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3392] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 43] .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 43] .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 43] .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 43] .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 43] .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\System32\TpShocks.exe[2192] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 3E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 3E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 3E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 3E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 3E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5252] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 5B, 03] .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 5B, 03] .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 5B, 03] .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 5B, 03] .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 5B, 03] .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd390180 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd3900d8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd390148 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd390110 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd3901f0 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd3901b8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd390228 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5280] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd390260 .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, E0, 01] .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, E0, 01] .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, E0, 01] .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, E0, 01] .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, E0, 01] .text C:\Windows\System32\hkcmd.exe[5320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 19, 02] .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 19, 02] .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 19, 02] .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 19, 02] .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 19, 02] .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Windows\System32\igfxpers.exe[5352] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, F3, 02] .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, F3, 02] .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, F3, 02] .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, F3, 02] .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, F3, 02] .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5376] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 8D, 03] .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 8D, 03] .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 8D, 03] .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 8D, 03] .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 8D, 03] .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5392] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 32] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 32] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 32] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 32] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 32] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5484] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, 13, 01] .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, 13, 01] .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, 13, 01] .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, 13, 01] .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, 13, 01] .text C:\Windows\system32\wbem\wmiprvse.exe[5904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 35] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 35] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 35] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 35] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 35] .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[6032] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, ED, 01] .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, ED, 01] .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, ED, 01] .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, ED, 01] .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, ED, 01] .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\system32\wbem\unsecapp.exe[6056] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000775e000c 1 byte [90] .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775f0068 4 bytes [68, 84, 8B, 36] .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread + 5 00000000775f006d 5 bytes [C3, 90, 90, 90, 90] .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076c81f0e 7 bytes JMP 000000016e0e1695 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076c85bad 7 bytes JMP 000000016e0e11a9 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076c91409 7 bytes JMP 000000016e0e128a .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076c9ea45 7 bytes JMP 000000016e0e1244 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076cab21b 5 bytes JMP 000000016e0e15aa .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d28e24 7 bytes JMP 000000016e0e1339 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d28ea9 5 bytes JMP 000000016e0e16d6 .text C:\ProgramData\Winrar_Update\xegiwezhr.exe[6120] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d291ff 5 bytes JMP 000000016e0e170d .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, C8, 02] .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, C8, 02] .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, C8, 02] .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, C8, 02] .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, C8, 02] .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5496] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 3E] .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 3E] .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 3E] .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 3E] .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 3E] .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5956] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 20] .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 20] .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 20] .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 20] .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 20] .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5568] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 00000000768482d6 6 bytes [68, E5, 73, 27, 00, C3] .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\SysWOW64\dnsapi.dll!DnsQuery_W 000000007280572c 8 bytes [68, 70, 52, 27, 00, C3, 90, ...] .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000077194296 6 bytes [68, 6F, 56, 27, 00, C3] .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000077194889 11 bytes [68, B6, 53, 27, 00, C3, 90, ...] .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007719d1ea 11 bytes [68, F2, 54, 27, 00, C3, 90, ...] .text C:\Windows\SysWOW64\rundll32.exe[5472] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000771a7673 11 bytes [68, 81, 57, 27, 00, C3, 90, ...] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 6 bytes [48, B8, AE, 07, C3, 01] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 6 bytes [48, B8, 0E, 14, C3, 01] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 6 bytes [48, B8, EE, 0F, C3, 01] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 6 bytes [48, B8, 8E, 24, C3, 01] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 6 bytes [48, B8, AE, 28, C3, 01] .text C:\Windows\system32\rundll32.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 73] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 73] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 73] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 73] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 73] .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6264] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 00000000768482d6 6 bytes [68, E5, 73, 9C, 00, C3] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\SysWOW64\dnsapi.dll!DnsQuery_W 000000007280572c 8 bytes [68, 70, 52, 9C, 00, C3, 90, ...] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000077194296 6 bytes [68, 6F, 56, 9C, 00, C3] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000077194889 11 bytes [68, B6, 53, 9C, 00, C3, 90, ...] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007719d1ea 11 bytes [68, F2, 54, 9C, 00, C3, 90, ...] .text C:\Windows\SysWOW64\RunDll32.exe[7128] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000771a7673 11 bytes [68, 81, 57, 9C, 00, C3, 90, ...] .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ef9e0 5 bytes JMP 0000000173bfea93 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000775efa28 5 bytes JMP 0000000173bff0f8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000775efa40 5 bytes JMP 0000000173bfd830 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000775efa90 5 bytes JMP 0000000173bfd38c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000775efaa8 5 bytes JMP 0000000173bfd67d .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000775efb40 5 bytes JMP 0000000173bff338 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000775efc38 5 bytes JMP 0000000173c0a713 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000775efd4c 5 bytes JMP 0000000173bfd1d4 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775efd64 5 bytes JMP 0000000173c09d35 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000775efd98 5 bytes JMP 0000000173c0a030 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000775efe44 5 bytes JMP 0000000173bfe668 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000775efe5c 5 bytes JMP 0000000173c09e5e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775f00b4 5 bytes JMP 0000000173c09b7a .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775f01c4 5 bytes JMP 0000000173bfd9d8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000775f0754 5 bytes JMP 0000000173bff3da .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775f09e4 5 bytes JMP 0000000173c09d72 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775f09fc 5 bytes JMP 0000000173bfcfa8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775f0a44 5 bytes JMP 0000000173bfdb8e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775f0b80 5 bytes JMP 0000000173bfd0be .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775f0f70 5 bytes JMP 0000000173bfe01b .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775f0f88 5 bytes JMP 0000000173bfe1b7 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775f1018 5 bytes JMP 0000000173bff185 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 00000000775f1030 5 bytes JMP 0000000173bff2a8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 00000000775f1048 5 bytes JMP 0000000173bff215 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775f133c 5 bytes JMP 0000000173c09f47 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775f147c 5 bytes JMP 0000000173bfde8e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775f1528 5 bytes JMP 0000000173bfe37b .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775f1718 5 bytes JMP 0000000173bfdd06 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775f1a58 5 bytes JMP 0000000173bfd535 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775f1b9c 5 bytes JMP 0000000173bfe4fd .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076c8103d 5 bytes JMP 0000000173be3904 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076c81072 5 bytes JMP 0000000173be3d68 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076c81f0e 7 bytes JMP 000000016e0e1695 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076c85bad 7 bytes JMP 000000016e0e11a9 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c88791 5 bytes JMP 0000000168c199c1 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076c91409 7 bytes JMP 000000016e0e128a .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076c9ea45 7 bytes JMP 000000016e0e1244 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076cab21b 5 bytes JMP 000000016e0e15aa .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076cac9b5 5 bytes JMP 0000000173be3a1e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076d02ff1 5 bytes JMP 0000000173be3c62 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d28e24 7 bytes JMP 000000016e0e1339 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d28ea9 5 bytes JMP 000000016e0e16d6 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d291ff 5 bytes JMP 000000016e0e170d .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075071d29 5 bytes JMP 000000016e0e11c2 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075071dd7 5 bytes JMP 000000016e0e1014 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075072ab1 5 bytes JMP 000000016e0e1555 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075072d17 5 bytes JMP 000000016e0e1271 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076eb2642 5 bytes JMP 0000000173be3f75 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 00000000768482d6 6 bytes [68, E5, 73, 18, 04, C3] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076848a29 5 bytes JMP 000000016e0e1726 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000076849ebd 5 bytes JMP 0000000168c399ff .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000076850afa 5 bytes JMP 0000000168c3e26c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076851361 5 bytes JMP 0000000168c4c8b4 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076854572 5 bytes JMP 000000016e0e10a0 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000076857849 5 bytes JMP 0000000168dc1f12 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007686e567 5 bytes JMP 000000016e0e1415 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768a7a5c 5 bytes JMP 000000016e0e15d2 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076e0e96b 5 bytes JMP 000000016e0e15c3 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076e0eba5 5 bytes JMP 000000016e0e1186 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000756f7ed3 5 bytes JMP 0000000168d154dc .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076b16143 5 bytes JMP 00000001693bdebe .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076b1ea09 7 bytes JMP 0000000173c1e370 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!OleRun 0000000076b207de 5 bytes JMP 0000000173c1de9e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076b221e1 5 bytes JMP 0000000173c21745 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b25ea5 5 bytes JMP 000000016e0e15fa .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000076b2eba1 6 bytes JMP 0000000173c1de15 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000076b2efd7 5 bytes JMP 0000000173c1ddcd .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076b454ad 5 bytes JMP 0000000173c1fdbb .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000076b509ad 5 bytes JMP 0000000173c1dd6d .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000076b586d3 5 bytes JMP 0000000173c207cf .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b59d0b 5 bytes JMP 000000016e0e121c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076b59d4e 5 bytes JMP 0000000173c1f3c7 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076b7bb09 7 bytes JMP 0000000173c1dee6 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076b9eacf 5 bytes JMP 0000000173c1fa7c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076bd340b 5 bytes JMP 0000000173c208cf .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076c1cfd9 5 bytes JMP 0000000173c1de56 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076a83e59 5 bytes JMP 0000000168c70b7f .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076a83eae 5 bytes JMP 0000000168c8d70c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076a84731 5 bytes JMP 0000000168cd8714 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076a85dee 5 bytes JMP 0000000168d0a6a0 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000076ab279e 5 bytes JMP 0000000173c203db .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000076ab3294 5 bytes JMP 0000000173c1dd25 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000076ac8f40 5 bytes JMP 0000000173c2056f .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000077194296 6 bytes [68, 6F, 56, 18, 04, C3] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000077194889 11 bytes [68, B6, 53, 18, 04, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007719d1ea 11 bytes [68, F2, 54, 18, 04, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000771a7673 11 bytes [68, 81, 57, 18, 04, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3180] entry point in ".rdata" section 0000000074c871e6 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[3180] C:\Program Files\Microsoft Office 15\Root\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 0000000073a9287c 4 bytes [6D, BB, 23, 43] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000775ef9e0 5 bytes JMP 000000015de0ea93 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000775efa28 5 bytes JMP 000000015de0f0f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000775efa40 5 bytes JMP 000000015de0d830 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000775efa90 5 bytes JMP 000000015de0d38c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000775efaa8 5 bytes JMP 000000015de0d67d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000775efb40 5 bytes JMP 000000015de0f338 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000775efc38 5 bytes JMP 000000015de1a713 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000775efd4c 5 bytes JMP 000000015de0d1d4 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000775efd64 5 bytes JMP 000000015de19d35 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000775efd98 5 bytes JMP 000000015de1a030 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000775efe44 5 bytes JMP 000000015de0e668 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000775efe5c 5 bytes JMP 000000015de19e5e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775f00b4 5 bytes JMP 000000015de19b7a .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775f01c4 5 bytes JMP 000000015de0d9d8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000775f0754 5 bytes JMP 000000015de0f3da .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775f09e4 5 bytes JMP 000000015de19d72 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775f09fc 5 bytes JMP 000000015de0cfa8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775f0a44 5 bytes JMP 000000015de0db8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775f0b80 5 bytes JMP 000000015de0d0be .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775f0f70 5 bytes JMP 000000015de0e01b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775f0f88 5 bytes JMP 000000015de0e1b7 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775f1018 5 bytes JMP 000000015de0f185 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 00000000775f1030 5 bytes JMP 000000015de0f2a8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 00000000775f1048 5 bytes JMP 000000015de0f215 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775f133c 5 bytes JMP 000000015de19f47 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775f147c 5 bytes JMP 000000015de0de8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775f1528 5 bytes JMP 000000015de0e37b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775f1718 5 bytes JMP 000000015de0dd06 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775f1a58 5 bytes JMP 000000015de0d535 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775f1b9c 5 bytes JMP 000000015de0e4fd .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076c8103d 5 bytes JMP 000000015ddf3904 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076c81072 5 bytes JMP 000000015ddf3d68 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076c81f0e 7 bytes JMP 000000016e0e1695 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076c85bad 7 bytes JMP 000000016e0e11a9 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c88791 5 bytes JMP 0000000168c199c1 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076c91409 7 bytes JMP 000000016e0e128a .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076c9ea45 7 bytes JMP 000000016e0e1244 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076cab21b 5 bytes JMP 000000016e0e15aa .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076cac9b5 5 bytes JMP 000000015ddf3a1e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076d02ff1 5 bytes JMP 000000015ddf3c62 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d28e24 7 bytes JMP 000000016e0e1339 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d28ea9 5 bytes JMP 000000016e0e16d6 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d291ff 5 bytes JMP 000000016e0e170d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075071d29 5 bytes JMP 000000016e0e11c2 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075071dd7 5 bytes JMP 000000016e0e1014 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075072ab1 5 bytes JMP 000000016e0e1555 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075072d17 5 bytes JMP 000000016e0e1271 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076eb2642 5 bytes JMP 000000015ddf3f75 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 00000000768482d6 6 bytes [68, E5, 73, 20, 0D, C3] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076848a29 5 bytes JMP 000000016e0e1726 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000076849ebd 5 bytes JMP 0000000168c399ff .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000076850afa 5 bytes JMP 0000000168c3e26c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076851361 5 bytes JMP 0000000168c4c8b4 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076854572 5 bytes JMP 000000016e0e10a0 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000076857849 5 bytes JMP 0000000168dc1f12 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007686e567 5 bytes JMP 000000016e0e1415 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768a7a5c 5 bytes JMP 000000016e0e15d2 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076e0e96b 5 bytes JMP 000000016e0e15c3 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076e0eba5 5 bytes JMP 000000016e0e1186 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000756f7ed3 5 bytes JMP 0000000168d154dc .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076b16143 5 bytes JMP 00000001693bdebe .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076b1ea09 7 bytes JMP 000000015de2e370 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!OleRun 0000000076b207de 5 bytes JMP 000000015de2de9e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076b221e1 5 bytes JMP 000000015de31745 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000076b2eba1 6 bytes JMP 000000015de2de15 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000076b2efd7 5 bytes JMP 000000015de2ddcd .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076b454ad 5 bytes JMP 000000015de2fdbb .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000076b509ad 5 bytes JMP 000000015de2dd6d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000076b586d3 5 bytes JMP 000000015de307cf .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076b59d4e 5 bytes JMP 000000015de2f3c7 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076b7bb09 7 bytes JMP 000000015de2dee6 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076b9eacf 5 bytes JMP 000000015de2fa7c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076bd340b 5 bytes JMP 000000015de308cf .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076c1cfd9 5 bytes JMP 000000015de2de56 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076a83e59 5 bytes JMP 0000000168c70b7f .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076a83eae 5 bytes JMP 0000000168c8d70c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076a84731 5 bytes JMP 0000000168cd8714 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076a85dee 5 bytes JMP 0000000168d0a6a0 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000076ab279e 5 bytes JMP 000000015de303db .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000076ab3294 5 bytes JMP 000000015de2dd25 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000076ac8f40 5 bytes JMP 000000015de3056f .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000077194296 6 bytes [68, 6F, 56, 20, 0D, C3] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000077194889 11 bytes [68, B6, 53, 20, 0D, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007719d1ea 11 bytes [68, F2, 54, 20, 0D, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000771a7673 11 bytes [68, 81, 57, 20, 0D, C3, 90, ...] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 2A] .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 2A] .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 2A] .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 2A] .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 2A] .text C:\Windows\splwow64.exe[5464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\splwow64.exe[5464] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077441510 5 bytes [48, B8, AE, 07, 3E] .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077441518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774415e0 5 bytes [48, B8, 0E, 14, 3E] .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000774415e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077441800 5 bytes [48, B8, EE, 0F, 3E] .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077441808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774418b0 5 bytes [48, B8, 8E, 24, 3E] .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000774418b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077441e40 5 bytes [48, B8, AE, 28, 3E] .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077441e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000771da400 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000771e3f20 5 bytes JMP 000000016fff01b8 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000771fffb0 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007720f2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077239a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000772494c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077249630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000772687e0 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd572db0 5 bytes JMP 000007fffd560180 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5737d0 7 bytes JMP 000007fffd5600d8 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd578ef0 6 bytes JMP 000007fffd560148 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd58af60 5 bytes JMP 000007fffd560110 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdd389e0 8 bytes JMP 000007fffd5601f0 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdd3be40 8 bytes JMP 000007fffd5601b8 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd9c7490 11 bytes JMP 000007fffd560228 .text C:\Windows\system32\prevhost.exe[5480] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefd9dbf00 7 bytes JMP 000007fffd560260 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076c81f0e 7 bytes JMP 000000016e0e1695 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076c85bad 7 bytes JMP 000000016e0e11a9 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076c91409 7 bytes JMP 000000016e0e128a .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000076c9ea45 7 bytes JMP 000000016e0e1244 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076cab21b 5 bytes JMP 000000016e0e15aa .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076d28e24 7 bytes JMP 000000016e0e1339 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076d28ea9 5 bytes JMP 000000016e0e16d6 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076d291ff 5 bytes JMP 000000016e0e170d .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075071d29 5 bytes JMP 000000016e0e11c2 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075071dd7 5 bytes JMP 000000016e0e1014 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075072ab1 5 bytes JMP 000000016e0e1555 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075072d17 5 bytes JMP 000000016e0e1271 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076e0e96b 5 bytes JMP 000000016e0e15c3 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076e0eba5 5 bytes JMP 000000016e0e1186 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 00000000768482d6 6 bytes [68, E5, 73, 33, 03, C3] .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076848a29 5 bytes JMP 000000016e0e1726 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076854572 5 bytes JMP 000000016e0e10a0 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007686e567 5 bytes JMP 000000016e0e1415 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768a7a5c 5 bytes JMP 000000016e0e15d2 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076b25ea5 5 bytes JMP 000000016e0e15fa .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076b59d0b 5 bytes JMP 000000016e0e121c .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076db1465 2 bytes [DB, 76] .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[7156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076db14bb 2 bytes [DB, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2604] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fdec980] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [5472:3324] 000000000028489c Thread C:\Windows\SysWOW64\RunDll32.exe [7128:6396] 00000000009d489c Thread C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180:5188] 000000000419489c Thread C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4560:5652] 000000000d21489c ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Winrar_Update\xegiwezhr.exe (*** suspicious ***) @ C:\ProgramData\Winrar_Update\xegiwezhr.exe [6120] (Narzędzie do obslugi pliku rozruchowego/Microsoft Corporation)(2015-01-22 13:09:47) 0000000000400000 Library C:\ProgramData\Winrar_Update\xegiwezhr.exe (*** suspicious ***) @ C:\ProgramData\Winrar_Update\xegiwezhr.exe [6120] (Narzędzie do obslugi pliku rozruchowego/Microsoft Corporation)(2015-01-22 13:09:47) 0000000000350000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180] 0000000068c10000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180] 000000006e770000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180] 0000000062a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1033\OSFINTL.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180] 000000005ef00000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [3180] 00000000600d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4560] 0000000068c10000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4560] 000000006e770000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7809BA7C-703A-4978-9395-A4172DF61A54}\Connection@Name isatap.{F8D670D2-11C3-4194-8B31-F3EF759DB3E2} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}\Connection@Name isatap.{B833F223-ABB6-4394-8EDE-8AE15C607F61} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{AD535073-A4D7-4D8A-808D-884C7275563B}?\Device\{7809BA7C-703A-4978-9395-A4172DF61A54}?\Device\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}?\Device\{F3F7E70E-0028-4AF3-A44B-0281D8F13D8E}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{AD535073-A4D7-4D8A-808D-884C7275563B}"?"{7809BA7C-703A-4978-9395-A4172DF61A54}"?"{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}"?"{F3F7E70E-0028-4AF3-A44B-0281D8F13D8E}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{AD535073-A4D7-4D8A-808D-884C7275563B}?\Device\TCPIP6TUNNEL_{7809BA7C-703A-4978-9395-A4172DF61A54}?\Device\TCPIP6TUNNEL_{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}?\Device\TCPIP6TUNNEL_{F3F7E70E-0028-4AF3-A44B-0281D8F13D8E}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd528d6294 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf444d9 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7809BA7C-703A-4978-9395-A4172DF61A54}@InterfaceName isatap.{F8D670D2-11C3-4194-8B31-F3EF759DB3E2} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{7809BA7C-703A-4978-9395-A4172DF61A54}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}@InterfaceName isatap.{B833F223-ABB6-4394-8EDE-8AE15C607F61} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd528d6294 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Winrar_Update "C:\ProgramData\Winrar_Update\xegiwezhr.exe" ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\ProgramData\Winrar_Update\xegiwezhr.exe 240568 bytes executable File C:\Users\rwi\AppData\Local\Temp\tmp289E.tmp 0 bytes ---- EOF - GMER 2.1 ----