GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-11 17:02:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000061 ST950032 rev.0011 465,76GB Running: xpl67k1g.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\uwddikod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe[1944] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1300] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000722a11a8 2 bytes [2A, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 00000000722a127d 2 bytes CALL 74e014b9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 00000000722a1310 2 bytes CALL 74e014b9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000722a13a8 2 bytes [2A, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000722a1422 2 bytes [2A, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000722a1498 2 bytes [2A, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 0000000071e11825 2 bytes JMP 76676125 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 0000000071e11830 2 bytes JMP 76676145 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 0000000071e1183b 2 bytes JMP 76676165 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 0000000071e11846 2 bytes JMP 76675a05 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 0000000071e11851 2 bytes JMP 76676185 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 0000000071e1185c 2 bytes JMP 76676265 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 0000000071e11867 2 bytes JMP 76676285 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 0000000071e11872 2 bytes JMP 766762a5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 0000000071e1187d 2 bytes JMP 766762c5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 0000000071e11888 2 bytes JMP 76675a25 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 0000000071e11893 2 bytes JMP 766762e5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 0000000071e1189e 2 bytes JMP 76675aa5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 0000000071e118a9 2 bytes JMP 76676305 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 0000000071e118b4 2 bytes JMP 76676325 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 0000000071e118bf 2 bytes JMP 76641fcb C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 0000000071e118ca 2 bytes JMP 76676365 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 0000000071e118d5 2 bytes JMP 76675ac5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 0000000071e118e0 2 bytes JMP 76675b45 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 0000000071e118eb 2 bytes JMP 76675b65 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 0000000071e118f6 2 bytes JMP 766768c5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 0000000071e11901 2 bytes JMP 76675a85 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 0000000071e1190c 2 bytes JMP 766768e5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 0000000071e11917 2 bytes JMP 76676925 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 0000000071e11922 2 bytes JMP 76675ae5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 0000000071e1192d 2 bytes JMP 76676945 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 0000000071e11938 2 bytes JMP 76676965 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 0000000071e11943 2 bytes JMP 76676985 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 0000000071e1194e 2 bytes JMP 766769a5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 0000000071e11959 2 bytes JMP 766769c5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 0000000071e11964 2 bytes JMP 766769e5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 0000000071e1196f 2 bytes JMP 76676a05 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 0000000071e1197a 2 bytes JMP 76676a25 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 0000000071e11985 2 bytes JMP 76676a45 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 0000000071e11990 2 bytes JMP 76676a65 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 0000000071e1199b 2 bytes JMP 76676a85 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 0000000071e119a6 2 bytes JMP 76676aa5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 0000000071e119b1 2 bytes JMP 76676ac5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 0000000071e119bc 2 bytes JMP 76676ae5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 0000000071e119c7 2 bytes JMP 76676b05 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 0000000071e119d2 2 bytes JMP 76676b25 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 0000000071e119dd 2 bytes JMP 76675b85 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 0000000071e119e8 2 bytes JMP 76676b65 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 0000000071e119f3 2 bytes JMP 76676b85 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 0000000071e119fe 2 bytes JMP 76676bc3 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 0000000071e11a09 2 bytes JMP 76676be3 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 0000000071e11a14 2 bytes JMP 76676c03 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 0000000071e11a1f 2 bytes JMP 76675b05 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 0000000071e11a2a 2 bytes JMP 76676c23 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 0000000071e11a35 2 bytes JMP 76676c43 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 0000000071e11a40 2 bytes JMP 76676c63 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 0000000071e11a4b 2 bytes JMP 76676c83 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 0000000071e11a56 2 bytes JMP 76676ca3 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 0000000071e11a61 2 bytes JMP 76676cc3 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 0000000071e11a6c 2 bytes JMP 76675ba5 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 0000000071e11a77 2 bytes JMP 76676ce3 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 0000000071e11a82 2 bytes JMP 76676d03 C:\windows\syswow64\GDI32.dll .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1584] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 0000000071e11ab2 2 bytes JMP 74fadc75 C:\windows\syswow64\msvcrt.dll .text C:\windows\System32\alg.exe[3360] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\System32\alg.exe[3360] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\System32\alg.exe[3360] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\svchost.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\system32\svchost.exe[3440] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\system32\svchost.exe[3440] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\windows\system32\atieclxx.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\atieclxx.exe[3448] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\atieclxx.exe[3448] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\svchost.exe[3616] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\system32\svchost.exe[3616] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\system32\svchost.exe[3616] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\windows\system32\svchost.exe[3716] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\system32\svchost.exe[3716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\system32\svchost.exe[3716] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\windows\system32\taskhost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\taskhost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\taskhost.exe[3828] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\taskeng.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\taskeng.exe[1064] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\taskeng.exe[1064] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\Dwm.exe[3748] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\Dwm.exe[3748] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\Dwm.exe[3748] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\Explorer.EXE[3480] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\Explorer.EXE[3480] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\Explorer.EXE[3480] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\SearchIndexer.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\SearchIndexer.exe[4380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\taskeng.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\taskeng.exe[4628] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\taskeng.exe[4628] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4904] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4904] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4904] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4920] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4928] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4928] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4928] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Windows\System32\igfxtray.exe[4944] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Windows\System32\igfxtray.exe[4944] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Windows\System32\igfxtray.exe[4944] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Windows\System32\hkcmd.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Windows\System32\hkcmd.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Windows\System32\hkcmd.exe[4976] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Windows\System32\igfxpers.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Windows\System32\igfxpers.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Windows\System32\igfxpers.exe[4984] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4232] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4232] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4232] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[412] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[412] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[412] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[412] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files\iTunes\iTunesHelper.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\iTunes\iTunesHelper.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\iTunes\iTunesHelper.exe[4228] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1260] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Windows Sidebar\sidebar.exe[1260] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Windows Sidebar\sidebar.exe[1260] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe[4044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Microsoft\OneDrive\OneDrive.exe[4372] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Roaming\uTorrent\uTorrent.exe[4356] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2704] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[4680] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[4680] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Logitech\SetPoint\SetPoint.exe[4680] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4784] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4784] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4784] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4784] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[2528] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4828] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\windows\SysWOW64\RunDll32.exe[4828] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\windows\SysWOW64\RunDll32.exe[4828] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\windows\SysWOW64\RunDll32.exe[4828] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Nation toolbar\vprot.exe[4912] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5136] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5136] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5136] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe[5324] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe[5324] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe[5324] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe[5324] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Windows\SysWOW64\UMonit.exe[5340] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Windows\SysWOW64\UMonit.exe[5340] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Windows\SysWOW64\UMonit.exe[5340] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Windows\SysWOW64\UMonit.exe[5340] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\windows\System32\svchost.exe[5412] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\System32\svchost.exe[5412] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\System32\svchost.exe[5412] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE[5752] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE[5752] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE[5752] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\iPod\bin\iPodService.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\iPod\bin\iPodService.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\iPod\bin\iPodService.exe[6056] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[1332] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[1332] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[1332] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[1332] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\windows\SysWOW64\ctfmon.exe[4332] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\windows\SysWOW64\ctfmon.exe[4332] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\windows\SysWOW64\ctfmon.exe[4332] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\windows\SysWOW64\ctfmon.exe[4332] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6128] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6128] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6128] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[6128] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6428] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007722f9e0 5 bytes JMP 0000000159a4ea93 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007722fa28 5 bytes JMP 0000000159a4f0f8 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007722fa40 5 bytes JMP 0000000159a4d830 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007722fa90 5 bytes JMP 0000000159a4d38c .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007722faa8 5 bytes JMP 0000000159a4d67d .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007722fb40 5 bytes JMP 0000000159a4f338 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007722fc38 5 bytes JMP 0000000159a5a713 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007722fd4c 5 bytes JMP 0000000159a4d1d4 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007722fd64 5 bytes JMP 0000000159a59d35 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007722fd98 5 bytes JMP 0000000159a5a030 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007722fe44 5 bytes JMP 0000000159a4e668 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007722fe5c 5 bytes JMP 0000000159a59e5e .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772300b4 5 bytes JMP 0000000159a59b7a .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772301c4 5 bytes JMP 0000000159a4d9d8 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077230754 5 bytes JMP 0000000159a4f3da .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000772309e4 5 bytes JMP 0000000159a59d72 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000772309fc 5 bytes JMP 0000000159a4cfa8 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077230a44 5 bytes JMP 0000000159a4db8e .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077230b80 5 bytes JMP 0000000159a4d0be .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077230f70 5 bytes JMP 0000000159a4e01b .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077230f88 5 bytes JMP 0000000159a4e1b7 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077231018 5 bytes JMP 0000000159a4f185 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077231030 5 bytes JMP 0000000159a4f2a8 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077231048 5 bytes JMP 0000000159a4f215 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007723133c 5 bytes JMP 0000000159a59f47 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007723147c 5 bytes JMP 0000000159a4de8e .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077231528 5 bytes JMP 0000000159a4e37b .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077231718 5 bytes JMP 0000000159a4dd06 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077231a58 5 bytes JMP 0000000159a4d535 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077231b9c 5 bytes JMP 0000000159a4e4fd .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000074e0103d 5 bytes JMP 0000000159a33904 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000074e01072 5 bytes JMP 0000000159a33d68 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000074e2c9b5 5 bytes JMP 0000000159a33a1e .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\kernel32.dll!WinExec 0000000074e82ff1 5 bytes JMP 0000000159a33c62 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076a62642 5 bytes JMP 0000000159a33f75 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000074c19ebd 5 bytes JMP 0000000159f481ef .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000074c20afa 5 bytes JMP 0000000159f4cb44 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\USER32.dll!BeginPaint 0000000074c21361 5 bytes JMP 0000000159f5b25a .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\USER32.dll!ValidateRect 0000000074c27849 5 bytes JMP 000000015a1479f4 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000755b7edb 5 bytes JMP 000000015a02a8c0 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!OleLoadFromStream 00000000763d6143 5 bytes JMP 000000015a6da77a .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 00000000763dea09 7 bytes JMP 0000000159a6e370 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!OleRun 00000000763e07de 5 bytes JMP 0000000159a6de9e .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000763e21e1 5 bytes JMP 0000000159a71745 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!OleUninitialize 00000000763eeba1 6 bytes JMP 0000000159a6de15 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!OleInitialize 00000000763eefd7 5 bytes JMP 0000000159a6ddcd .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000764054ad 5 bytes JMP 0000000159a6fdbb .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000764109ad 5 bytes JMP 0000000159a6dd6d .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000764186d3 5 bytes JMP 0000000159a707cf .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076419d0b 5 bytes JMP 0000000159a714ec .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076419d4e 5 bytes JMP 0000000159a6f3c7 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007643bb09 3 bytes JMP 0000000159a6dee6 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 11 000000007643bb0d 3 bytes [E3, CC, CC] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007645eacf 5 bytes JMP 0000000159a6fa7c .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 000000007649340b 5 bytes JMP 0000000159a708cf .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 00000000764dcfd9 5 bytes JMP 0000000159a6de56 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 0000000074d03e59 5 bytes JMP 0000000159f80466 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!VariantClear 0000000074d03eae 5 bytes JMP 0000000159f9e18c .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000074d04731 5 bytes JMP 000000015a010b5f .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000074d05dee 5 bytes JMP 000000015a01a5f5 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000074d327a6 5 bytes JMP 0000000159a703db .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000074d3329c 5 bytes JMP 0000000159a6dd25 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000074d48f68 5 bytes JMP 0000000159a7056f .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[2072] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6612] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6612] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6612] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6612] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\PROGRA~2\Raptr\raptr.exe[3404] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\PROGRA~2\Raptr\raptr.exe[3404] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\PROGRA~2\Raptr\raptr.exe[3404] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\PROGRA~2\Raptr\raptr.exe[3404] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\windows\SysWOW64\cmd.exe[2280] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\windows\SysWOW64\cmd.exe[2280] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\windows\system32\conhost.exe[3780] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\conhost.exe[3780] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\conhost.exe[3780] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleChromeDAV.exe[6896] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleChromeDAV.exe[6896] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleChromeDAV.exe[6896] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleChromeDAV.exe[6896] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[5244] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1292] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1292] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1292] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5548] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5548] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5548] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe[7244] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe[7244] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe[7244] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe[7244] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\PROGRA~2\Raptr\raptr_im.exe[6664] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\PROGRA~2\Raptr\raptr_im.exe[6664] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\PROGRA~2\Raptr\raptr_im.exe[6664] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\PROGRA~2\Raptr\raptr_im.exe[6664] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[3728] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[3728] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[3728] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\svchost.exe[7916] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\system32\svchost.exe[7916] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\system32\svchost.exe[7916] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\windows\system32\SearchProtocolHost.exe[5960] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\SearchProtocolHost.exe[5960] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\SearchProtocolHost.exe[5960] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\windows\system32\taskeng.exe[2268] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 00000000771e0128 .text C:\windows\system32\taskeng.exe[2268] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 00000000771e0018 .text C:\windows\system32\taskeng.exe[2268] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000771e00a0 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74e2b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74e2b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74ea8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74e048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74ea87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74ea8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74ea8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74ea8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74e1fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74e268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74ea8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74ea8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74ea865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74e1fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74e2b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74ea8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5828] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74ea85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\Install\{570CFC9B-D151-43FA-A68D-9946A8A3627A}\41.0.2272.89_40.0.2214.115_chrome_updater.exe[7128] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Program Files (x86)\Google\Update\Install\{570CFC9B-D151-43FA-A68D-9946A8A3627A}\41.0.2272.89_40.0.2214.115_chrome_updater.exe[7128] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\windows\system32\DllHost.exe[5472] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077081530 5 bytes JMP 0000000177020128 .text C:\windows\system32\DllHost.exe[5472] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077081650 5 bytes JMP 0000000177020018 .text C:\windows\system32\DllHost.exe[5472] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e2db80 5 bytes JMP 00000000770200a0 .text C:\Users\Marcin\Documents\xpl67k1g.exe[7368] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007722fc50 5 bytes JMP 000000016ee21460 .text C:\Users\Marcin\Documents\xpl67k1g.exe[7368] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007722fe14 5 bytes JMP 000000016ee21120 .text C:\Users\Marcin\Documents\xpl67k1g.exe[7368] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e13bbb 3 bytes JMP 000000016ee21260 .text C:\Users\Marcin\Documents\xpl67k1g.exe[7368] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000074e13bbf 1 byte [FA] ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3480] (GG drive overlay/GG Network S.A.)(2012-04-03 11:06:55) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-proxy.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3480] (GG drive proxy/GG Network S.A.)(2012-04-03 11:06:55) 00000000590b0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\PYTHON27.DLL (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044] (Python Core/Python Software Foundation)(2011-06-12 13:09:18) 000000001e000000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\acestreamengine.Core.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2013-11-07 12:27:18) 0000000010000000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_socket.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:09:18) 00000000002f0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_ssl.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:09:18) 00000000022d0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\acestreamengine.pycompat.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2013-03-29 09:57:10) 0000000000300000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\LIBEAY32.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2012-01-19 17:19:58) 0000000002390000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_hashlib.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:06:22) 0000000000350000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\acestreamengine.live.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2014-05-08 20:13:40) 00000000029a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_psutil_mswindows.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2014-05-08 20:13:40) 0000000000410000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_blist.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2014-05-08 20:13:40) 0000000000460000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\_ctypes.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:06:22) 000000001d1a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\bitarray._bitarray.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2014-05-08 20:13:40) 0000000001dc0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\select.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:06:22) 000000001d110000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\M2Crypto.__m2crypto.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-01-18 21:56:22) 0000000002db0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\SSLEAY32.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2012-01-19 17:20:12) 0000000002e10000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\pyexpat.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:06:24) 0000000002e60000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\Crypto.Cipher.AES.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-02-13 15:02:12) 0000000002fd0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\acestreamengine.CoreApp.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2013-11-07 12:34:08) 0000000002ff0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\win32api.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2012-02-07 16:37:24) 000000001e8c0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\pywintypes27.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2012-02-07 16:35:46) 000000001e7a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\pythoncom27.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2012-02-07 16:38:58) 0000000003bd0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\win32file.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2012-02-07 16:36:08) 000000001ea10000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\win32pdh.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2012-02-07 16:36:30) 000000001eb60000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\apsw.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2010-10-10 22:23:52) 0000000004070000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\cpyamf.util.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2013-01-29 16:20:40) 0000000004360000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wx._core_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:37:48) 0000000004850000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wxbase28uh_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:33:38) 0000000004960000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wxbase28uh_net_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:33:40) 0000000004ab0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wxmsw28uh_core_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:34:10) 0000000004ae0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wxmsw28uh_adv_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:34:16) 0000000004e10000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wx._gdi_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:38:00) 0000000004ef0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wx._windows_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:38:06) 0000000004fc0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wxmsw28uh_html_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:34:26) 00000000050a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wx._controls_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:38:12) 00000000060f0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\wx._misc_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-07-15 19:38:22) 00000000061e0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\unicodedata.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2011-06-12 13:06:20) 00000000062a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\miniupnpc.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2014-05-08 20:13:40) 0000000062b80000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\engine\lib\cpyamf.amf0.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\engine\ace_engine.exe [4044](2013-01-29 16:20:40) 00000000076e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 0000000059f20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 000000005d610000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 000000005d060000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 0000000055e30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 000000005d1d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 0000000052470000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 00000000749e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 0000000064530000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 0000000064630000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4864] 00000000645d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [2072] 0000000059f20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [2072] 0000000055e30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [2072] 000000005d1d0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\PYTHON27.DLL (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244] (Python Core/Python Software Foundation)(2011-06-12 13:09:18) 000000001e000000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\_socket.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-06-12 13:09:18) 0000000000270000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\_ssl.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-06-12 13:09:18) 0000000010000000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wx._core_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:37:48) 0000000001fc0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wxbase28uh_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:33:38) 0000000002800000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wxbase28uh_net_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:33:40) 00000000002c0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wxmsw28uh_core_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:34:10) 0000000002950000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wxmsw28uh_adv_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:34:16) 0000000002c80000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wx._gdi_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:38:00) 0000000002d40000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wx._windows_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:38:06) 0000000002f00000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wxmsw28uh_html_vc.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:34:26) 0000000001d30000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wx._controls_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:38:12) 0000000002fb0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\wx._misc_.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-07-15 19:38:22) 00000000030a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\_hashlib.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-06-12 13:06:22) 0000000003950000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\M2Crypto.__m2crypto.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-01-18 21:56:22) 00000000039a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\SSLEAY32.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2012-01-19 17:20:12) 0000000003a00000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\LIBEAY32.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2012-01-19 17:19:58) 0000000003a40000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\select.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-06-12 13:06:22) 000000001d110000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\pyexpat.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2011-06-12 13:06:24) 00000000020c0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\win32api.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2012-02-07 16:37:24) 000000001e8c0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\pywintypes27.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2012-02-07 16:35:46) 000000001e7a0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\pythoncom27.dll (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2012-02-07 16:38:58) 0000000003cf0000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\win32file.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2012-02-07 16:36:08) 000000001ea10000 Library C:\Users\Marcin\AppData\Roaming\ACEStream\updater\lib\win32pdh.pyd (*** suspicious ***) @ C:\Users\Marcin\AppData\Roaming\ACEStream\updater\ace_update.exe [7244](2012-02-07 16:36:30) 000000001eb60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@a04e04ec35d7 0x3F 0x9E 0x28 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@e4b02127e67b 0x1D 0xB8 0x04 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@2054769ebb62 0x12 0xE1 0x44 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737c67919@3039263f8ce9 0x35 0x02 0x0B 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@a04e04ec35d7 0x3F 0x9E 0x28 0x97 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@e4b02127e67b 0x1D 0xB8 0x04 0xA8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@2054769ebb62 0x12 0xE1 0x44 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737c67919@3039263f8ce9 0x35 0x02 0x0B 0x32 ... ---- EOF - GMER 2.1 ----