GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-28 19:34:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000007d ATA_____ rev.A560 698,64GB Running: f21r0z32.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awddrkog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1372] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef84bdc88 5 bytes JMP 000007fff82b00d8 .text C:\Windows\system32\Dwm.exe[1712] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef84bde10 5 bytes JMP 000007fff82b0110 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[2268] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2404] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2552] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753a1401 2 bytes JMP 760eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753a1419 2 bytes JMP 760eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753a1431 2 bytes JMP 76168f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753a144a 2 bytes CALL 760c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753a14dd 2 bytes JMP 76168822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753a14f5 2 bytes JMP 761689f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753a150d 2 bytes JMP 76168718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753a1525 2 bytes JMP 76168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753a153d 2 bytes JMP 760dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753a1555 2 bytes JMP 760e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753a156d 2 bytes JMP 76168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753a1585 2 bytes JMP 76168b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753a159d 2 bytes JMP 761686dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753a15b5 2 bytes JMP 760dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753a15cd 2 bytes JMP 760eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753a16b2 2 bytes JMP 76168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753a16bd 2 bytes JMP 76168671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd500180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd5000d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd500110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [E7, FF] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd500148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd500228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd500260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd5001f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd5001b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef2fe2460 5 bytes JMP 000007fefd5002d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2100] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef30196b0 6 bytes JMP 000007fefd500298 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd4c0180 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd4c00d8 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd4c0110 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [E3, FF] .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd4c0148 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd4c01f0 .text C:\Windows\System32\dinotify.exe[3276] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd4c01b8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\SkypePlugin.exe[3804] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Windows\System32\igfxpers.exe[3684] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1820] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHBE.EXE[4184] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007737a3e0 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077383f00 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007739ffd0 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000773af350 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000773d9aa0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000773e9530 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077408850 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd682db0 5 bytes JMP 000007fffd670180 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6837d0 7 bytes JMP 000007fffd6700d8 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd68a410 2 bytes JMP 000007fffd670110 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd68a413 2 bytes [FE, FF] .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd68aec0 6 bytes JMP 000007fffd670148 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1b89e0 8 bytes JMP 000007fffd6701f0 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe1bbe40 8 bytes JMP 000007fffd6701b8 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe327490 11 bytes JMP 000007fffd670228 .text C:\Windows\System32\StikyNot.exe[4348] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe33bf00 7 bytes JMP 000007fffd670260 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4808] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[4836] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4900] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007778fc9c 5 bytes JMP 000000007ef938b1 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Windows\SysWOW64\msiexec.exe[4364] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 00000000753b4889 5 bytes JMP 000000007ef943bd .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4552] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753a1401 2 bytes JMP 760eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753a1419 2 bytes JMP 760eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753a1431 2 bytes JMP 76168f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753a144a 2 bytes CALL 760c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753a14dd 2 bytes JMP 76168822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753a14f5 2 bytes JMP 761689f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753a150d 2 bytes JMP 76168718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753a1525 2 bytes JMP 76168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753a153d 2 bytes JMP 760dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753a1555 2 bytes JMP 760e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753a156d 2 bytes JMP 76168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753a1585 2 bytes JMP 76168b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753a159d 2 bytes JMP 761686dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753a15b5 2 bytes JMP 760dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753a15cd 2 bytes JMP 760eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753a16b2 2 bytes JMP 76168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753a16bd 2 bytes JMP 76168671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[3128] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753a1401 2 bytes JMP 760eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753a1419 2 bytes JMP 760eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753a1431 2 bytes JMP 76168f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753a144a 2 bytes CALL 760c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753a14dd 2 bytes JMP 76168822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753a14f5 2 bytes JMP 761689f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753a150d 2 bytes JMP 76168718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753a1525 2 bytes JMP 76168ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753a153d 2 bytes JMP 760dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753a1555 2 bytes JMP 760e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753a156d 2 bytes JMP 76168fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753a1585 2 bytes JMP 76168b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753a159d 2 bytes JMP 761686dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753a15b5 2 bytes JMP 760dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753a15cd 2 bytes JMP 760eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753a16b2 2 bytes JMP 76168ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753a16bd 2 bytes JMP 76168671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Users\Piotr\AppData\Local\Akamai\netsession_win.exe[4316] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760c1efe 7 bytes JMP 0000000173853df0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760c5b9d 7 bytes JMP 0000000173854100 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760d13f9 7 bytes JMP 0000000173853f30 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760dea45 7 bytes JMP 0000000173853de0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076168ea4 7 bytes JMP 0000000173853b50 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076168f29 5 bytes JMP 0000000173853c00 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076169281 5 bytes JMP 0000000173853b60 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075551d29 5 bytes JMP 0000000173853ae0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075551dd7 5 bytes JMP 0000000173853a90 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075552ab1 5 bytes JMP 0000000173853c10 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075552d1d 5 bytes JMP 0000000173853870 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000758ee96b 5 bytes JMP 00000001738533c0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000758eeba5 5 bytes JMP 00000001738533d0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076f88a29 5 bytes JMP 0000000173853350 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076f94572 3 bytes JMP 00000001738537f0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA + 4 0000000076f94576 1 byte [FC] .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076fae567 5 bytes JMP 0000000173853860 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076fd07d7 5 bytes JMP 0000000173853280 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076fe7a5c 5 bytes JMP 00000001738537e0 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075f05ea5 5 bytes JMP 0000000173853300 .text C:\Users\Piotr\Downloads\f21r0z32.exe[1096] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075f39d0b 5 bytes JMP 0000000173853290 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\msiexec.exe [4364:2772] 000000007ef9392e ---- Processes - GMER 2.1 ---- Process C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\Piotr\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [2944] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-23 07:54:57) 0000000000400000 Library C:\Users\Piotr\AppData\Local\Temp\cdo2942387096.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4364] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-06-23 19:55:31) 0000000000770000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C309E933-1C2E-424C-AC63-F6172A89CF4A}\Connection@Name isatap.{A8B38EB5-7E59-468C-9962-0B6F89E879AA} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Bind \Device\{6179E76B-2217-4FB5-9C37-F1067E4DB369}?\Device\{C309E933-1C2E-424C-AC63-F6172A89CF4A}?\Device\{36A113DA-4C19-4906-8EB7-BF51FB0BD761}?\Device\{D772DED2-D995-4DD6-8374-8053EC1225FF}?\Device\{C49AD16D-7E3A-445D-812E-91AE9981E285}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Route "{6179E76B-2217-4FB5-9C37-F1067E4DB369}"?"{C309E933-1C2E-424C-AC63-F6172A89CF4A}"?"{36A113DA-4C19-4906-8EB7-BF51FB0BD761}"?"{D772DED2-D995-4DD6-8374-8053EC1225FF}"?"{C49AD16D-7E3A-445D-812E-91AE9981E285}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Export \Device\TCPIP6TUNNEL_{6179E76B-2217-4FB5-9C37-F1067E4DB369}?\Device\TCPIP6TUNNEL_{C309E933-1C2E-424C-AC63-F6172A89CF4A}?\Device\TCPIP6TUNNEL_{36A113DA-4C19-4906-8EB7-BF51FB0BD761}?\Device\TCPIP6TUNNEL_{D772DED2-D995-4DD6-8374-8053EC1225FF}?\Device\TCPIP6TUNNEL_{C49AD16D-7E3A-445D-812E-91AE9981E285}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\240a64e9f0c0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C309E933-1C2E-424C-AC63-F6172A89CF4A}@InterfaceName isatap.{A8B38EB5-7E59-468C-9962-0B6F89E879AA} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C309E933-1C2E-424C-AC63-F6172A89CF4A}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\240a64e9f0c0 (not active ControlSet) ---- EOF - GMER 2.1 ----