GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-17 15:31:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298.09GB Running: g663ygxe.exe; Driver: C:\Users\Kaktus\AppData\Local\Temp\kxriipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 3C] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 3C] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes JMP 0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0x1c2840]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0x1620f0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0x1814a0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0x1c1f40]} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2008] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 15] .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 15] .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes JMP 0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0x1c2840]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0x1620f0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0x1814a0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0x1c1f40]} .text C:\Program Files\Bonjour\mDNSResponder.exe[1440] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x201970]} .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 7195000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7183000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7180000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7189000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719d000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 718f000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 718c000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7192000a .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1456] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7186000a .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 15] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 15] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes JMP 416 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes JMP 64000062 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes JMP 646062c .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes JMP 85f .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[1604] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x201970]} .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 7187000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7158000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7155000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 715e000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 718a000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7164000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7161000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 717e000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 715b000a .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2056] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 06] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 06] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes JMP 0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes JMP 0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes JMP 340000 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0x1620f0]} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes JMP 0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes JMP 0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes JMP 0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2124] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes JMP 0 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7183000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7180000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7189000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 718f000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 718c000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7198000a .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2500] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7186000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719c000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 718a000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7187000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7190000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719f000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7196000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7193000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7199000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 718d000a .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 06] .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 06] .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0xe2ec80]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes JMP 0 .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0xdede30]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes JMP 0 .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0xe8b6b0]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes JMP 0 .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0xda2840]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0xb220f0]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0xb414a0]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0xe412e0]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0xda1f40]} .text C:\Program Files\Bitdefender\60-Second Virus Scanner\pdscan.exe[2096] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0xde1970]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes CALL 9bc0000 .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes CALL 3000025 .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x16ec80]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x1ae750]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x12de30]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x6ba70]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x1cb6b0]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0xc8030]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0xe2840]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!recv 000007fefe35df40 4 bytes JMP 30000 .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!recv + 5 000007fefe35df45 1 byte [00] .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0xa14a0]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x1812e0]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0xe1f40]} .text C:\Program Files (x86)\Livedrive\VSSService.exe[2212] C:\Windows\system32\ws2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x121970]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes CALL 630056 .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes CALL 61005c00 .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0xe2ec80]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0xe6e750]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0xdede30]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0xb0ba70]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0xe8b6b0]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0xd78030]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0xda2840]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0xb220f0]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0xb414a0]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0xe412e0]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0xda1f40]} .text C:\Windows\Explorer.EXE[3136] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0xde1970]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 06] .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 06] .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes JMP 416 .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes JMP 64000062 .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes JMP 646062c .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes JMP 85f .text C:\Windows\system32\wbem\unsecapp.exe[3172] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x201970]} .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71a90000 .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 7194000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 717e000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 717b000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7184000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a5000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ac000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 7197000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 718b000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a2000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7187000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7191000a .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[3984] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7181000a .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes CALL 68160000 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes CALL 2e00000d .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes JMP 0 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes JMP 0 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes JMP 1d001a4 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes JMP 0 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes JMP 6d8c .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes JMP 0 .text C:\Windows\system32\dllhost.exe[3808] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x201970]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes [0A, 66, 15] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes [15, 59, 15] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes JMP 746e6f43 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes JMP 0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes JMP 416 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes JMP 64000062 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes JMP 646062c .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes JMP 85f .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[5076] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes JMP 1f6a10 C:\Program Files\Acer\Acer ePower Management\PowerSettingControl.dll .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes CALL 9bc0000 .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes CALL 3000025 .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes JMP 2544f0 .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes {JMP QWORD [RIP+0x20de30]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes JMP 0 .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0x1c2840]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0x1620f0]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0x1814a0]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes JMP 0 .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0x1c1f40]} .text C:\Windows\System32\msdtc.exe[4988] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes {JMP QWORD [RIP+0x201970]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefceb99f2 3 bytes CALL 9bc0000 .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefceca6f5 3 bytes CALL 3000025 .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe3513b0 6 bytes {JMP QWORD [RIP+0x24ec80]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefe3518e1 5 bytes {JMP QWORD [RIP+0x28e750]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe352200 6 bytes JMP 0 .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefe3545c1 5 bytes {JMP QWORD [RIP+0x14ba70]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe354980 6 bytes {JMP QWORD [RIP+0x2ab6b0]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!send 000007fefe358000 6 bytes {JMP QWORD [RIP+0x1a8030]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!sendto 000007fefe35d7f0 6 bytes {JMP QWORD [RIP+0x1c2840]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!recv 000007fefe35df40 6 bytes {JMP QWORD [RIP+0x1620f0]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe35eb90 6 bytes {JMP QWORD [RIP+0x1814a0]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe35ed50 6 bytes {JMP QWORD [RIP+0x2612e0]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe37e0f0 6 bytes {JMP QWORD [RIP+0x1c1f40]} .text C:\Windows\system32\wbem\unsecapp.exe[4276] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe37e6c0 6 bytes JMP 0 .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\FLEXnet\Connect\11\agent.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71a90000 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719b000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 717d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 717a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7183000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ac000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719e000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 718a000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7186000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 718d000a .text C:\Program Files (x86)\Launch Manager\LManager.exe[5336] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7180000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71a90000 .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719b000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 717e000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 717b000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7184000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ac000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719e000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 718a000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7187000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 718d000a .text C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe[5704] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7181000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71a90000 .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719b000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7188000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7185000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 718f000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a5000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ac000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719e000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7195000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a2000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7192000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7198000a .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5396] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 718b000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 7196000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7181000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 717e000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 7187000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 7199000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7190000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 718a000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7193000a .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5288] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!sendto 00000000751d34b5 6 bytes JMP 719a000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000751d3918 6 bytes JMP 7188000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSAStartup 00000000751d3ab2 6 bytes JMP 7185000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000751d4406 6 bytes JMP 718e000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!recv 00000000751d6b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!connect 00000000751d6bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!send 00000000751d6f01 6 bytes JMP 719d000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000751d7089 6 bytes JMP 7194000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!recvfrom 00000000751db6dc 6 bytes JMP 71a3000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 00000000751dcba6 6 bytes JMP 7191000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000751dcc3f 6 bytes JMP 7197000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\WS2_32.dll!WSASendTo 00000000751eb30c 6 bytes JMP 718b000a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074f61401 2 bytes JMP 74fab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074f61419 2 bytes JMP 74fab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074f61431 2 bytes JMP 75028f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074f6144a 2 bytes CALL 74f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074f614dd 2 bytes JMP 75028802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074f614f5 2 bytes JMP 750289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074f6150d 2 bytes JMP 750286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074f61525 2 bytes JMP 75028ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074f6153d 2 bytes JMP 74f9fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074f61555 2 bytes JMP 74fa68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074f6156d 2 bytes JMP 75028fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074f61585 2 bytes JMP 75028b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074f6159d 2 bytes JMP 750286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074f615b5 2 bytes JMP 74f9fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074f615cd 2 bytes JMP 74fab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074f616b2 2 bytes JMP 75028e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6612] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074f616bd 2 bytes JMP 75028651 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kaktus\Downloads\g663ygxe.exe[3752] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075192c9e 4 bytes CALL 71a90000 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3136] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[3136] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[3136] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [3136:5964] 000007feffff0000 Thread C:\Windows\system32\wbem\unsecapp.exe [3172:3672] 000007feffff0000 Thread C:\Windows\system32\dllhost.exe [3808:4532] 000007feffff0000 Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [4816:4304] 000007feffff0000 Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [4816:4684] 000007fef054bc60 Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [4844:5096] 000007feffff0000 Thread C:\Windows\System32\msdtc.exe [4988:5500] 000007feffff0000 Thread C:\Windows\system32\wbem\unsecapp.exe [4276:2256] 000007feffff0000 Thread C:\Windows\sysWOW64\wbem\wmiprvse.exe [5288:872] 0000000071af0000 Thread C:\Windows\System32\svchost.exe [6316:6348] 000007feef5a9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:1740] 000007feffff0000 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:6708] 000007fefb202bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:6788] 000007feeaa8cf60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:5368] 000007fef9765124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\BITS ---- EOF - GMER 2.1 ----