GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-15 18:18:44 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB3O Running: gmer.exe; Driver: C:\Users\Ja\AppData\Local\Temp\pxrdypoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9033EDF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x90966A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9033F85E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x903442E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x90344330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x90344422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x90344252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x90344374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9034429A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x903443DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9033EE44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x90966B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9033EAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9033EE90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x90341D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9033FB02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9034430E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x90344352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x90344446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x90344278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x903443AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x903442C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x90344400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x90966CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9033F9CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9033EEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9033EF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9033EB46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9033ECEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9033EC92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9033ED5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x90966D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9033EF74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x90966BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9097CD92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!KeInsertQueue + 2FD 830AD934 4 Bytes [F8, ED, 33, 90] .text ntoskrnl.exe!KeInsertQueue + 321 830AD958 4 Bytes [5A, 6A, 96, 90] {POP EDX; PUSH -0x6a; NOP } .text ntoskrnl.exe!KeInsertQueue + 381 830AD9B8 4 Bytes [5E, F8, 33, 90] .text ntoskrnl.exe!KeInsertQueue + 3C1 830AD9F8 8 Bytes [E4, 42, 34, 90, 30, 43, 34, ...] {IN AL, 0x42; XOR AL, 0x90; XOR [EBX+0x34], AL; NOP } .text ntoskrnl.exe!KeInsertQueue + 3CD 830ADA04 4 Bytes [22, 44, 34, 90] {AND AL, [ESP+ESI-0x70]} .text ... PAGE ntoskrnl.exe!ObMakeTemporaryObject 831E3E46 5 Bytes JMP 90979C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 110 8322D54F 4 Bytes CALL 903401B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ObInsertObject 83231A1C 5 Bytes JMP 9097B74C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 121 8325B007 4 Bytes CALL 903401CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 832C8EA0 7 Bytes JMP 9097CD96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[228] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001401F8 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001403FC .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00190600 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00190804 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00190A08 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001901F8 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001903FC .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001A03FC .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 001A0600 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 001A1014 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 001A0804 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 001A0A08 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 001A0C0C .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 001A0E10 .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[308] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001A01F8 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[324] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00190600 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00190804 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00190A08 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[528] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001903FC .text C:\Windows\system32\csrss.exe[576] KERNEL32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\csrss.exe[620] KERNEL32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\wininit.exe[628] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[628] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[628] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000503FC .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00050600 .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00051014 .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00050804 .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00050A08 .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00050C0C .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00050E10 .text C:\Windows\system32\wininit.exe[628] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000501F8 .text C:\Windows\system32\wininit.exe[628] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00060600 .text C:\Windows\system32\wininit.exe[628] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00060804 .text C:\Windows\system32\wininit.exe[628] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00060A08 .text C:\Windows\system32\wininit.exe[628] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000601F8 .text C:\Windows\system32\wininit.exe[628] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000603FC .text C:\Windows\system32\winlogon.exe[676] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[676] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[676] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000503FC .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00050600 .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00051014 .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00050804 .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00050A08 .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00050C0C .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00050E10 .text C:\Windows\system32\winlogon.exe[676] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000501F8 .text C:\Windows\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00060600 .text C:\Windows\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00060804 .text C:\Windows\system32\winlogon.exe[676] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00060A08 .text C:\Windows\system32\winlogon.exe[676] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000601F8 .text C:\Windows\system32\winlogon.exe[676] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[708] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000901F8 .text C:\Windows\system32\services.exe[708] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000903FC .text C:\Windows\system32\services.exe[708] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\services.exe[708] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\services.exe[708] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 000C0600 .text C:\Windows\system32\services.exe[708] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\services.exe[708] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\services.exe[708] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\services.exe[708] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000C03FC ? C:\Windows\system32\services.exe[708] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll .text C:\Windows\system32\lsass.exe[720] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[720] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000C03FC .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000C1014 .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000C0804 .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000C0A08 .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000C0C0C .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000C0E10 .text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000C01F8 .text C:\Windows\system32\lsass.exe[720] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 000D0600 .text C:\Windows\system32\lsass.exe[720] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 000D0804 .text C:\Windows\system32\lsass.exe[720] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 000D0A08 .text C:\Windows\system32\lsass.exe[720] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000D01F8 .text C:\Windows\system32\lsass.exe[720] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000D03FC .text C:\Windows\system32\lsm.exe[728] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\lsm.exe[728] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\lsm.exe[728] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\lsm.exe[728] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 001E0600 .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 001E0804 .text C:\Windows\system32\svchost.exe[872] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 001E0A08 .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001E01F8 .text C:\Windows\system32\svchost.exe[872] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001E03FC .text C:\Windows\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[944] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 001E0600 .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 001E0804 .text C:\Windows\system32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 001E0A08 .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001E01F8 .text C:\Windows\system32\svchost.exe[944] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001E03FC .text C:\Windows\System32\svchost.exe[1020] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00130600 .text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00130804 .text C:\Windows\System32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00130A08 .text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001301F8 .text C:\Windows\System32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001303FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[1028] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1064] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[1064] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[1064] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00E30600 .text C:\Windows\System32\svchost.exe[1064] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00E30804 .text C:\Windows\System32\svchost.exe[1064] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00E30A08 .text C:\Windows\System32\svchost.exe[1064] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 00E301F8 .text C:\Windows\System32\svchost.exe[1064] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 00E303FC .text C:\Windows\system32\svchost.exe[1084] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1084] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00250600 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00250804 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00250A08 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 002501F8 .text C:\Windows\system32\svchost.exe[1084] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 002503FC .text C:\Windows\system32\AUDIODG.EXE[1156] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1192] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1192] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1192] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1312] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00D40600 .text C:\Windows\system32\svchost.exe[1312] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00D40804 .text C:\Windows\system32\svchost.exe[1312] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00D40A08 .text C:\Windows\system32\svchost.exe[1312] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 00D401F8 .text C:\Windows\system32\svchost.exe[1312] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 00D403FC .text C:\Windows\System32\svchost.exe[1340] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[1340] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000B03FC .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000B0600 .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000B1014 .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000B0804 .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000B0A08 .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000B0C0C .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000B0E10 .text C:\Windows\System32\svchost.exe[1340] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[1424] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[1424] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[1424] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[1424] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00090600 .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00090804 .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00090A08 .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000901F8 .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000903FC .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1700] kernel32.dll!SetUnhandledExceptionFilter 7723A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1700] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\Explorer.EXE[1720] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\Explorer.EXE[1720] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\Explorer.EXE[1720] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000803FC .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00080600 .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00081014 .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00080804 .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00080A08 .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00080C0C .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00080E10 .text C:\Windows\Explorer.EXE[1720] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000801F8 .text C:\Windows\Explorer.EXE[1720] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00090600 .text C:\Windows\Explorer.EXE[1720] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00090804 .text C:\Windows\Explorer.EXE[1720] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00090A08 .text C:\Windows\Explorer.EXE[1720] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000901F8 .text C:\Windows\Explorer.EXE[1720] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000903FC .text C:\Windows\System32\spoolsv.exe[1836] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000901F8 .text C:\Windows\System32\spoolsv.exe[1836] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000903FC .text C:\Windows\System32\spoolsv.exe[1836] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000B03FC .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000B0600 .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000B1014 .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000B0804 .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000B0A08 .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000B0C0C .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000B0E10 .text C:\Windows\System32\spoolsv.exe[1836] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000B01F8 .text C:\Windows\System32\spoolsv.exe[1836] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00910600 .text C:\Windows\System32\spoolsv.exe[1836] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00910804 .text C:\Windows\System32\spoolsv.exe[1836] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00910A08 .text C:\Windows\System32\spoolsv.exe[1836] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 009101F8 .text C:\Windows\System32\spoolsv.exe[1836] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 009103FC .text C:\Windows\system32\taskeng.exe[1908] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[1908] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[1908] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[1908] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[1908] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[1908] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[1908] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[1908] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[1908] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[1992] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[1992] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[1992] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[1992] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[1992] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[1992] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[1992] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[1992] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[1992] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[2092] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\svchost.exe[2092] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\svchost.exe[2092] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000B01F8 .text C:\Windows\System32\svchost.exe[2140] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\System32\svchost.exe[2140] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\System32\svchost.exe[2140] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[2140] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2176] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\SearchIndexer.exe[2176] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\SearchIndexer.exe[2176] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[2176] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[2176] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[2176] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[2176] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[2176] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[2176] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000803FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00190600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00190804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00190A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2572] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001903FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2624] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001401F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001403FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00160600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00160804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00160A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00171014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00170C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00170E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2656] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[2748] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Windows\system32\igfxsrvc.exe[2748] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Windows\system32\igfxsrvc.exe[2748] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[2748] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[2748] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[2748] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[2748] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[2748] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[2748] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Windows\System32\hkcmd.exe[2956] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Windows\System32\hkcmd.exe[2956] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Windows\System32\hkcmd.exe[2956] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[2956] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00180600 .text C:\Windows\System32\hkcmd.exe[2956] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00180804 .text C:\Windows\System32\hkcmd.exe[2956] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00180A08 .text C:\Windows\System32\hkcmd.exe[2956] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001801F8 .text C:\Windows\System32\hkcmd.exe[2956] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001803FC .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001903FC .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00190600 .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00191014 .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00190804 .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00190A08 .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00190C0C .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00190E10 .text C:\Windows\System32\hkcmd.exe[2956] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001901F8 .text C:\Windows\System32\igfxpers.exe[2964] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Windows\System32\igfxpers.exe[2964] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Windows\System32\igfxpers.exe[2964] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[2964] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00180600 .text C:\Windows\System32\igfxpers.exe[2964] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00180804 .text C:\Windows\System32\igfxpers.exe[2964] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00180A08 .text C:\Windows\System32\igfxpers.exe[2964] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001801F8 .text C:\Windows\System32\igfxpers.exe[2964] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001803FC .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001903FC .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00190600 .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00191014 .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00190804 .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00190A08 .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00190C0C .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00190E10 .text C:\Windows\System32\igfxpers.exe[2964] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001901F8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2972] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00080600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00080804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2980] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000803FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000A03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 000A0600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 000A1014 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 000A0804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 000A0A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 000A0C0C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 000A0E10 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000A01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 000B0600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 000B0804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 000B0A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000B01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3236] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000B03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 002301F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 002303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtCreateFile + 6 7799424A 4 Bytes [28, 00, 21, 00] {SUB [EAX], AL; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtCreateFile + B 7799424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtMapViewOfSection + 6 7799499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtMapViewOfSection + 6 7799499A 4 Bytes [28, 03, 21, 00] {SUB [EBX], AL; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtMapViewOfSection + B 7799499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenFile + 6 77994A2A 4 Bytes [68, 00, 21, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenFile + B 77994A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcess + 6 77994AAA 4 Bytes [A8, 01, 21, 00] {TEST AL, 0x1; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcess + B 77994AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessToken + 6 77994ABA 4 Bytes CALL 76996BC0 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessToken + B 77994ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessTokenEx + 6 77994ACA 4 Bytes [A8, 02, 21, 00] {TEST AL, 0x2; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenProcessTokenEx + B 77994ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThread + 6 77994B1A 4 Bytes [68, 01, 21, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThread + B 77994B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadToken + 6 77994B2A 4 Bytes [68, 02, 21, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadToken + B 77994B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadTokenEx + 6 77994B3A 4 Bytes CALL 76996C41 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtOpenThreadTokenEx + B 77994B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryAttributesFile + 6 77994BCA 4 Bytes [A8, 00, 21, 00] {TEST AL, 0x0; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryAttributesFile + B 77994BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryFullAttributesFile + 6 77994C7A 4 Bytes CALL 76996D7F C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtQueryFullAttributesFile + B 77994C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationFile + 6 7799515A 4 Bytes [28, 01, 21, 00] {SUB [ECX], AL; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationFile + B 7799515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationThread + 6 779951AA 4 Bytes [28, 02, 21, 00] {SUB [EDX], AL; AND [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtSetInformationThread + B 779951AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 4 Bytes [68, 03, 21, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ntdll.dll!NtUnmapViewOfSection + B 7799544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00260600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00260804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00260A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 002601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 002603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 002703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00270600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00271014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00270804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00270A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00270C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00270E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3476] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 002701F8 .text C:\Windows\system32\igfxext.exe[3496] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Windows\system32\igfxext.exe[3496] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Windows\system32\igfxext.exe[3496] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\igfxext.exe[3496] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxext.exe[3496] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxext.exe[3496] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxext.exe[3496] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxext.exe[3496] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxext.exe[3496] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\igfxsrvc.exe[3532] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 001501F8 .text C:\Windows\system32\igfxsrvc.exe[3532] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 001503FC .text C:\Windows\system32\igfxsrvc.exe[3532] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\igfxsrvc.exe[3532] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00170600 .text C:\Windows\system32\igfxsrvc.exe[3532] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00170804 .text C:\Windows\system32\igfxsrvc.exe[3532] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\igfxsrvc.exe[3532] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\igfxsrvc.exe[3532] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\igfxsrvc.exe[3532] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 003901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 003903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtCreateFile + 6 7799424A 4 Bytes [28, 00, 38, 00] {SUB [EAX], AL; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtCreateFile + B 7799424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtMapViewOfSection + 6 7799499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtMapViewOfSection + 6 7799499A 4 Bytes [28, 03, 38, 00] {SUB [EBX], AL; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtMapViewOfSection + B 7799499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenFile + 6 77994A2A 4 Bytes [68, 00, 38, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenFile + B 77994A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcess + 6 77994AAA 4 Bytes [A8, 01, 38, 00] {TEST AL, 0x1; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcess + B 77994AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcessToken + 6 77994ABA 4 Bytes CALL 769982C0 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcessToken + B 77994ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcessTokenEx + 6 77994ACA 4 Bytes [A8, 02, 38, 00] {TEST AL, 0x2; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenProcessTokenEx + B 77994ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThread + 6 77994B1A 4 Bytes [68, 01, 38, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThread + B 77994B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThreadToken + 6 77994B2A 4 Bytes [68, 02, 38, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThreadToken + B 77994B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThreadTokenEx + 6 77994B3A 4 Bytes CALL 76998341 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtOpenThreadTokenEx + B 77994B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtQueryAttributesFile + 6 77994BCA 4 Bytes [A8, 00, 38, 00] {TEST AL, 0x0; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtQueryAttributesFile + B 77994BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtQueryFullAttributesFile + 6 77994C7A 4 Bytes CALL 7699847F C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtQueryFullAttributesFile + B 77994C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtSetInformationFile + 6 7799515A 4 Bytes [28, 01, 38, 00] {SUB [ECX], AL; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtSetInformationFile + B 7799515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtSetInformationThread + 6 779951AA 4 Bytes [28, 02, 38, 00] {SUB [EDX], AL; CMP [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtSetInformationThread + B 779951AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 4 Bytes [68, 03, 38, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ntdll.dll!NtUnmapViewOfSection + B 7799544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 003C0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 003C0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 003C0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 003C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 003C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 003D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 003D0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 003D1014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 003D0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 003D0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 003D0C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 003D0E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3764] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 003D01F8 .text C:\Users\Ja\Desktop\gmer.exe[4216] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 002E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 002E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtCreateFile + 6 7799424A 4 Bytes [28, 00, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtCreateFile + B 7799424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtMapViewOfSection + 6 7799499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtMapViewOfSection + 6 7799499A 4 Bytes [28, 03, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtMapViewOfSection + B 7799499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenFile + 6 77994A2A 4 Bytes [68, 00, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenFile + B 77994A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcess + 6 77994AAA 4 Bytes [A8, 01, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcess + B 77994AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcessToken + 6 77994ABA 4 Bytes CALL 769977C0 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcessToken + B 77994ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcessTokenEx + 6 77994ACA 4 Bytes [A8, 02, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenProcessTokenEx + B 77994ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThread + 6 77994B1A 4 Bytes [68, 01, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThread + B 77994B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThreadToken + 6 77994B2A 4 Bytes [68, 02, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThreadToken + B 77994B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThreadTokenEx + 6 77994B3A 4 Bytes CALL 76997841 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtOpenThreadTokenEx + B 77994B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtQueryAttributesFile + 6 77994BCA 4 Bytes [A8, 00, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtQueryAttributesFile + B 77994BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtQueryFullAttributesFile + 6 77994C7A 4 Bytes CALL 7699797F C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtQueryFullAttributesFile + B 77994C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtSetInformationFile + 6 7799515A 4 Bytes [28, 01, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtSetInformationFile + B 7799515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtSetInformationThread + 6 779951AA 4 Bytes [28, 02, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtSetInformationThread + B 779951AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 4 Bytes [68, 03, 2D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ntdll.dll!NtUnmapViewOfSection + B 7799544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00360600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00360804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00360A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 003601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 003603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 003703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00370600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00371014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00370804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00370A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00370C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00370E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4412] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 003701F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 003901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 003903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtCreateFile + 6 7799424A 4 Bytes [28, 00, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtCreateFile + B 7799424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtMapViewOfSection + 6 7799499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtMapViewOfSection + 6 7799499A 4 Bytes [28, 03, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtMapViewOfSection + B 7799499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenFile + 6 77994A2A 4 Bytes [68, 00, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenFile + B 77994A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcess + 6 77994AAA 4 Bytes [A8, 01, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcess + B 77994AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcessToken + 6 77994ABA 4 Bytes CALL 769981C0 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcessToken + B 77994ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcessTokenEx + 6 77994ACA 4 Bytes [A8, 02, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenProcessTokenEx + B 77994ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThread + 6 77994B1A 4 Bytes [68, 01, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThread + B 77994B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThreadToken + 6 77994B2A 4 Bytes [68, 02, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThreadToken + B 77994B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThreadTokenEx + 6 77994B3A 4 Bytes CALL 76998241 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtOpenThreadTokenEx + B 77994B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtQueryAttributesFile + 6 77994BCA 4 Bytes [A8, 00, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtQueryAttributesFile + B 77994BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtQueryFullAttributesFile + 6 77994C7A 4 Bytes CALL 7699837F C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtQueryFullAttributesFile + B 77994C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtSetInformationFile + 6 7799515A 4 Bytes [28, 01, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtSetInformationFile + B 7799515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtSetInformationThread + 6 779951AA 4 Bytes [28, 02, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtSetInformationThread + B 779951AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 4 Bytes [68, 03, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ntdll.dll!NtUnmapViewOfSection + B 7799544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 003C0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 003C0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 003C0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 003C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 003C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 003D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 003D0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 003D1014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 003D0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 003D0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 003D0C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 003D0E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4536] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 003D01F8 .text C:\Windows\system32\rundll32.exe[4988] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000601F8 .text C:\Windows\system32\rundll32.exe[4988] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000603FC .text C:\Windows\system32\rundll32.exe[4988] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\rundll32.exe[4988] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00070600 .text C:\Windows\system32\rundll32.exe[4988] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00070804 .text C:\Windows\system32\rundll32.exe[4988] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00070A08 .text C:\Windows\system32\rundll32.exe[4988] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000701F8 .text C:\Windows\system32\rundll32.exe[4988] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000703FC .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000903FC .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!DeleteService 7750A07E 3 Bytes JMP 00090600 .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!DeleteService + 4 7750A082 1 Byte [88] .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00091014 .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00090804 .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00090A08 .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00090C0C .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00090E10 .text C:\Windows\system32\rundll32.exe[4988] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00070600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00070804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00070A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000703FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 001803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00180600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00181014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00180804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00180A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00180C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00180E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5568] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 001801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 003501F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 003503FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtCreateFile + 6 7799424A 4 Bytes [28, 00, 33, 00] {SUB [EAX], AL; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtCreateFile + B 7799424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtMapViewOfSection + 6 7799499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtMapViewOfSection + 6 7799499A 4 Bytes [28, 03, 33, 00] {SUB [EBX], AL; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtMapViewOfSection + B 7799499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenFile + 6 77994A2A 4 Bytes [68, 00, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenFile + B 77994A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcess + 6 77994AAA 4 Bytes [A8, 01, 33, 00] {TEST AL, 0x1; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcess + B 77994AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcessToken + 6 77994ABA 4 Bytes CALL 76997DC0 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcessToken + B 77994ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcessTokenEx + 6 77994ACA 4 Bytes [A8, 02, 33, 00] {TEST AL, 0x2; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenProcessTokenEx + B 77994ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThread + 6 77994B1A 4 Bytes [68, 01, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThread + B 77994B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThreadToken + 6 77994B2A 4 Bytes [68, 02, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThreadToken + B 77994B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThreadTokenEx + 6 77994B3A 4 Bytes CALL 76997E41 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtOpenThreadTokenEx + B 77994B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtQueryAttributesFile + 6 77994BCA 4 Bytes [A8, 00, 33, 00] {TEST AL, 0x0; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtQueryAttributesFile + B 77994BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtQueryFullAttributesFile + 6 77994C7A 4 Bytes CALL 76997F7F C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtQueryFullAttributesFile + B 77994C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtSetInformationFile + 6 7799515A 4 Bytes [28, 01, 33, 00] {SUB [ECX], AL; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtSetInformationFile + B 7799515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtSetInformationThread + 6 779951AA 4 Bytes [28, 02, 33, 00] {SUB [EDX], AL; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtSetInformationThread + B 779951AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtUnmapViewOfSection + 6 7799544A 4 Bytes [68, 03, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ntdll.dll!NtUnmapViewOfSection + B 7799544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00380600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00380804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00380A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 003801F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 003803FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 003903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00390600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00391014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00390804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00390A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00390C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00390E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5572] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 003901F8 .text C:\Windows\notepad.exe[5824] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5988] ntdll.dll!LdrLoadDll 77959378 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskeng.exe[5988] ntdll.dll!LdrUnloadDll 7796B680 5 Bytes JMP 000503FC .text C:\Windows\system32\taskeng.exe[5988] kernel32.dll!GetBinaryTypeW + 70 77262467 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!CreateServiceW 77509EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!DeleteService 7750A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!SetServiceObjectSecurity 77546CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!ChangeServiceConfigA 77546DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!ChangeServiceConfigW 77546F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!ChangeServiceConfig2A 77547099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!ChangeServiceConfig2W 775471E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[5988] ADVAPI32.dll!CreateServiceA 775472A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[5988] USER32.dll!SetWindowsHookExA 77596322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[5988] USER32.dll!SetWindowsHookExW 775987AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[5988] USER32.dll!UnhookWindowsHookEx 775998DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[5988] USER32.dll!SetWinEventHook 77599F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[5988] USER32.dll!UnhookWinEvent 7759C06F 5 Bytes JMP 000803FC ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00150002 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00150000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] CB510815 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 508415FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B00CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 443D8BFC IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B00CB51 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [75FF016A] C:\Windows\system32\WLDAP32.dll (Win32 LDAP API DLL/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 514015FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D8300CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [00CB5080] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 7140BF57 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B5700CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 7C15FFF1 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A00CB50 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] CB715885 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00CB7158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 3415FF57 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F00CB50 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] CB7140BF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 507C15FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A00CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00CB7158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 71588524 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 570000CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 503415FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F00CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 7815FF51 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 5000CB50 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 513C15FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C300CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00CB7198] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 513815FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D5900CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 00002B4C IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [75FFFC8B] C:\Windows\system32\WLDAP32.dll (Win32 LDAP API DLL/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 719835FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] EC6800CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 5700CB53 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 513415FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB3300CB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] CB507415 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] CB513015 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00CB512C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] CB507015 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] CB7084BA IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [00CB5078] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00CB7140] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 7C15FF53 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE00CB50 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00CB7194] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 583D04EE IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 7500CB71 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7 IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00CB5034] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E IAT C:\Windows\system32\services.exe[708] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1700] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [737EF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74457817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7449B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7445BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7444F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7444E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744873F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7445DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7444FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7444FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [744DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7447C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7444D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74446853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7444687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74452AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2972] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [737EF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3476] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3764] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[4536] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[5572] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Files - GMER 1.0.15 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-865144796-2722442251-660881151-1000 0 bytes File C:\avast! sandbox\S-1-5-21-865144796-2722442251-660881151-1000\r3 0 bytes File C:\avast! sandbox\S-1-5-21-865144796-2722442251-660881151-1000\r3\OTL.exe_{162a6620-b658-11e1-976e-c950e0546249} 0 bytes File C:\avast! sandbox\S-1-5-21-865144796-2722442251-660881151-1000\r3\OTL.exe_{162a6626-b658-11e1-976e-c950e0546249} 0 bytes File C:\avast! sandbox\S-1-5-21-865144796-2722442251-660881151-1000\r3\OTL.exe_{162a662c-b658-11e1-976e-c950e0546249} 0 bytes File C:\avast! sandbox\snx_rhive 524288 bytes File C:\avast! sandbox\snx_rhive.LOG1 262144 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{162a6622-b658-11e1-976e-c950e0546249}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{162a6622-b658-11e1-976e-c950e0546249}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{162a6622-b658-11e1-976e-c950e0546249}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{162a6628-b658-11e1-976e-c950e0546249}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{162a6628-b658-11e1-976e-c950e0546249}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{162a6628-b658-11e1-976e-c950e0546249}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 1.0.15 ----