GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-29 10:43:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Samsung_ rev.DXT0 111,79GB Running: jukrdxmo.exe; Driver: C:\Users\rwi~1\AppData\Local\Temp\kwrcypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[860] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Windows\system32\nvwmi64.exe[1372] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Windows\SysWOW64\DNTUS26.EXE[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Windows\SysWOW64\DNTUS26.EXE[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3004] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000072601b41 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3004] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000072601be8 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3004] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000072601c20 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3004] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000072601cd2 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[3004] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000072601cf2 2 bytes [60, 72] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\dwrcs\DWRCS.EXE[4412] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[4660] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Windows\dwrcs\DWRCST.exe[2060] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[964] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[4564] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd3b0180 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd3b00d8 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd3b0148 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd3b0110 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd3b01f0 .text C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE[2676] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd3b01b8 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd3b0180 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd3b00d8 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd3b0148 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd3b0110 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd3b01f0 .text C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe[2748] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd3b01b8 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007feedf2dc88 5 bytes JMP 000007ffedd200d8 .text C:\Windows\system32\Dwm.exe[3344] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007feedf2de10 5 bytes JMP 000007ffedd20110 .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[4788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[4788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5068] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4504] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4224] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\System32\TpShocks.exe[4876] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000725411a8 2 bytes [54, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000725413a8 2 bytes [54, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072541422 2 bytes [54, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072541498 2 bytes [54, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000072601b41 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000072601be8 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000072601c20 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000072601cd2 2 bytes [60, 72] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[2512] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000072601cf2 2 bytes [60, 72] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5124] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd220180 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd2200d8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd220148 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd220110 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd2201f0 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd2201b8 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd220228 .text C:\Program Files\Lenovo\Password Manager\password_manager.exe[5136] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd220260 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Windows\System32\igfxpers.exe[5256] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[5356] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\ActivIdentity\ActivClient\acevents.exe[5372] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe[5436] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\ActivIdentity\ActivClient\acsagent.exe[5528] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[5604] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe[5644] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\X-Rite\PANTONE Color Calibrator\Color Calibrator Tray.exe[5652] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[5684] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774bf9e0 5 bytes JMP 000000016ec2ea93 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000774bfa28 5 bytes JMP 000000016ec2f0f8 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000774bfa40 5 bytes JMP 000000016ec2d830 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000774bfa90 5 bytes JMP 000000016ec2d38c .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000774bfaa8 5 bytes JMP 000000016ec2d67d .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000774bfb40 5 bytes JMP 000000016ec2f338 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000774bfc38 5 bytes JMP 000000016ec3a713 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000774bfd4c 5 bytes JMP 000000016ec2d1d4 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774bfd64 5 bytes JMP 000000016ec39d35 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000774bfd98 5 bytes JMP 000000016ec3a030 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000774bfe44 5 bytes JMP 000000016ec2e668 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000774bfe5c 5 bytes JMP 000000016ec39e5e .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774c00b4 5 bytes JMP 000000016ec39b7a .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774c01c4 5 bytes JMP 000000016ec2d9d8 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000774c0754 5 bytes JMP 000000016ec2f3da .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000774c09e4 5 bytes JMP 000000016ec39d72 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000774c09fc 5 bytes JMP 000000016ec2cfa8 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000774c0a44 5 bytes JMP 000000016ec2db8e .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000774c0b80 5 bytes JMP 000000016ec2d0be .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000774c0f70 5 bytes JMP 000000016ec2e01b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774c0f88 5 bytes JMP 000000016ec2e1b7 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000774c1018 5 bytes JMP 000000016ec2f185 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 00000000774c1030 5 bytes JMP 000000016ec2f2a8 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 00000000774c1048 5 bytes JMP 000000016ec2f215 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000774c133c 5 bytes JMP 000000016ec39f47 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000774c147c 5 bytes JMP 000000016ec2de8e .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000774c1528 5 bytes JMP 000000016ec2e37b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000774c1718 5 bytes JMP 000000016ec2dd06 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000774c1a58 5 bytes JMP 000000016ec2d535 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000774c1b9c 5 bytes JMP 000000016ec2e4fd .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c6103d 5 bytes JMP 000000016ec13904 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c61072 5 bytes JMP 000000016ec13d68 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c8c9b5 5 bytes JMP 000000016ec13a1e .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075ce2ff1 5 bytes JMP 000000016ec13c62 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[5792] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\Lenovo\Password Manager\pwm_ie_helper_desktop.exe[5904] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5960] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\Lenovo\Password Manager\password_manager.exe[5972] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!RegSetValueExW 00000000770aa400 7 bytes JMP 000000016fff0260 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!RegQueryValueExW 00000000770b3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!RegDeleteValueW 00000000770cffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000770df2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 0000000077109a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000771194c0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077119630 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 00000000771387e0 7 bytes JMP 000000016fff0228 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe[6096] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\system32\wbem\unsecapp.exe[5480] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5788] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Windows\SysWOW64\RunDll32.exe[5324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Windows\SysWOW64\RunDll32.exe[5324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000774bf9e0 5 bytes JMP 000000016ec2ea93 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000774bfa28 5 bytes JMP 000000016ec2f0f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000774bfa40 5 bytes JMP 000000016ec2d830 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000774bfa90 5 bytes JMP 000000016ec2d38c .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000774bfaa8 5 bytes JMP 000000016ec2d67d .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000774bfb40 5 bytes JMP 000000016ec2f338 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000774bfc38 5 bytes JMP 000000016ec3a713 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000774bfd4c 5 bytes JMP 000000016ec2d1d4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000774bfd64 5 bytes JMP 000000016ec39d35 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000774bfd98 5 bytes JMP 000000016ec3a030 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000774bfe44 5 bytes JMP 000000016ec2e668 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000774bfe5c 5 bytes JMP 000000016ec39e5e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774c00b4 5 bytes JMP 000000016ec39b7a .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774c01c4 5 bytes JMP 000000016ec2d9d8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000774c0754 5 bytes JMP 000000016ec2f3da .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000774c09e4 5 bytes JMP 000000016ec39d72 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000774c09fc 5 bytes JMP 000000016ec2cfa8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000774c0a44 5 bytes JMP 000000016ec2db8e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000774c0b80 5 bytes JMP 000000016ec2d0be .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000774c0f70 5 bytes JMP 000000016ec2e01b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774c0f88 5 bytes JMP 000000016ec2e1b7 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000774c1018 5 bytes JMP 000000016ec2f185 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 00000000774c1030 5 bytes JMP 000000016ec2f2a8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 00000000774c1048 5 bytes JMP 000000016ec2f215 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000774c133c 5 bytes JMP 000000016ec39f47 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000774c147c 5 bytes JMP 000000016ec2de8e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000774c1528 5 bytes JMP 000000016ec2e37b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000774c1718 5 bytes JMP 000000016ec2dd06 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000774c1a58 5 bytes JMP 000000016ec2d535 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000774c1b9c 5 bytes JMP 000000016ec2e4fd .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c6103d 5 bytes JMP 000000016ec13904 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c61072 5 bytes JMP 000000016ec13d68 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c8c9b5 5 bytes JMP 000000016ec13a1e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075ce2ff1 5 bytes JMP 000000016ec13c62 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075132642 5 bytes JMP 000000016ec13f75 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075859ebd 5 bytes JMP 000000016c0d99ff .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075860afa 5 bytes JMP 000000016c0de26c .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075861361 5 bytes JMP 000000016c0ec8b4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000075867849 5 bytes JMP 000000016c261f12 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[5368] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdb689e0 8 bytes JMP 000007fffd4301f0 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdb6be40 8 bytes JMP 000007fffd4301b8 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea97490 11 bytes JMP 000007fffd430228 .text C:\Windows\system32\taskeng.exe[972] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeaabf00 7 bytes JMP 000007fffd430260 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe[4704] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[7152] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd442db0 5 bytes JMP 000007fffd430180 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[7152] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4437d0 7 bytes JMP 000007fffd4300d8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[7152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd448ef0 6 bytes JMP 000007fffd430148 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe[7152] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd45af60 5 bytes JMP 000007fffd430110 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c61f0e 7 bytes JMP 0000000170331695 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c65bad 7 bytes JMP 00000001703311a9 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075c71409 7 bytes JMP 000000017033128a .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075c7ea45 7 bytes JMP 0000000170331244 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075c8b21b 5 bytes JMP 00000001703315aa .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d08e24 7 bytes JMP 0000000170331339 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d08ea9 5 bytes JMP 00000001703316d6 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d091ff 5 bytes JMP 000000017033170d .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075fa1d29 5 bytes JMP 00000001703311c2 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075fa1dd7 5 bytes JMP 0000000170331014 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075fa2ab1 5 bytes JMP 0000000170331555 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075fa2d17 5 bytes JMP 0000000170331271 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007524e96b 5 bytes JMP 00000001703315c3 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007524eba5 5 bytes JMP 0000000170331186 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075858a29 5 bytes JMP 0000000170331726 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075864572 5 bytes JMP 00000001703310a0 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007587e567 5 bytes JMP 0000000170331415 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000758b7a5c 5 bytes JMP 00000001703315d2 .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075505ea5 5 bytes JMP 00000001703315fa .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075539d0b 5 bytes JMP 000000017033121c .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751f1465 2 bytes [1F, 75] .text C:\Users\rwi\Desktop\FRST-OlderVersion\jukrdxmo.exe[3328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751f14bb 2 bytes [1F, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2088] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f06c980] C:\Windows\system32\mfevtps.exe ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 000000006c0b0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000066390000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000066270000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000065d40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000065cf0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000065a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1033\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000065960000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 00000000658c0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 00000000658b0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5368] 0000000065850000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}\Connection@Name isatap.{F8D670D2-11C3-4194-8B31-F3EF759DB3E2} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{AD535073-A4D7-4D8A-808D-884C7275563B}?\Device\{7809BA7C-703A-4978-9395-A4172DF61A54}?\Device\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{AD535073-A4D7-4D8A-808D-884C7275563B}"?"{7809BA7C-703A-4978-9395-A4172DF61A54}"?"{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{AD535073-A4D7-4D8A-808D-884C7275563B}?\Device\TCPIP6TUNNEL_{7809BA7C-703A-4978-9395-A4172DF61A54}?\Device\TCPIP6TUNNEL_{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\24fd528d6294 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf444d9 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}@InterfaceName isatap.{F8D670D2-11C3-4194-8B31-F3EF759DB3E2} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8B6FD130-B2CC-48A6-81EF-DA1911EAB0FE}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\24fd528d6294 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\rwi\AppData\Local\Temp\tmp8369.tmp 0 bytes ---- EOF - GMER 2.1 ----