GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-30 12:05:05 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MJA2320BH_G2 rev.0084001C Running: j62fegyg.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x91069708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x907987C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9106A11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x91074F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x91074F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x910750F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x91074E96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x90798BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x91074EDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9106A310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9106A498] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x910750B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9106AA9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x91069756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x907988AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x910693BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x910697A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9106E456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9106B464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x91074F52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x91074F96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9107511A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x91074EBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9107503A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x91074F06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x910750D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x90798A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9106B330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9106B06C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x910697F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x91069840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9106A91C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x91069448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x910695F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9106959E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9106ABFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9106AD5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x91069668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x90798AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9106A794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9106988E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x90798962] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x907B0966] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8B6480B8] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8B6480CE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8B6480A4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 8346D5F5 5 Bytes JMP 8B6480A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8347F3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B8D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 834BFD80 4 Bytes [08, 97, 06, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 834BFDA8 4 Bytes [C8, 87, 79, 90] {ENTER 0x7987, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 834BFE08 4 Bytes [1C, A1, 06, 91] {SBB AL, 0xa1; PUSH ES; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 834BFE5C 8 Bytes [28, 4F, 07, 91, 74, 4F, 07, ...] {SUB [EDI+0x7], CL; XCHG ECX, EAX; JZ 0x55; POP ES; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 834BFE68 4 Bytes [F6, 50, 07, 91] {NOT BYTE [EAX+0x7]; XCHG ECX, EAX} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8364CC64 5 Bytes JMP 907AD806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83665290 5 Bytes JMP 907AF338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8367A3D7 4 Bytes CALL 9106BB07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!NtMapViewOfSection 83688512 7 Bytes JMP 8B6480BC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 836941E0 4 Bytes CALL 9106BB1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 836A685A 5 Bytes JMP 8B6480D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8371E11A 7 Bytes JMP 907B096A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text peauth.sys ACE30C9D 28 Bytes JMP D26F3E34 .text peauth.sys ACE30CC1 28 Bytes JMP D26F3E58 ---- User code sections - GMER 1.0.15 ---- .text C:\windows\system32\svchost.exe[292] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00040000 .text C:\windows\system32\svchost.exe[292] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00040022 .text C:\windows\system32\svchost.exe[292] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00040011 .text C:\windows\system32\svchost.exe[292] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000703FC .text C:\windows\system32\svchost.exe[292] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000701F8 .text C:\windows\system32\svchost.exe[292] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00010F6B .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00010F35 .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00010F46 .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00010FCD .text C:\windows\system32\svchost.exe[292] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00010083 .text C:\windows\system32\svchost.exe[292] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 0001005E .text C:\windows\system32\svchost.exe[292] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00010FAB .text C:\windows\system32\svchost.exe[292] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 000100E5 .text C:\windows\system32\svchost.exe[292] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00010039 .text C:\windows\system32\svchost.exe[292] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 000100AF .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00010FDE .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00010FEF .text C:\windows\system32\svchost.exe[292] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00010FBC .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00010094 .text C:\windows\system32\svchost.exe[292] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[292] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 0001001E .text C:\windows\system32\svchost.exe[292] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 000100C0 .text C:\windows\system32\svchost.exe[292] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00010F86 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00090FE3 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00090FB0 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!system 76C0B177 5 Bytes JMP 00090031 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00090FD2 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00090FC1 .text C:\windows\system32\svchost.exe[292] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 0009000C .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 000C0FE5 .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 000C0FA5 .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 000C0F6F .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 000C0F8A .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 000C0000 .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 000C0F5E .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 000C0FC0 .text C:\windows\system32\svchost.exe[292] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 000C0011 .text C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe[508] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[536] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wbem\wmiprvse.exe[536] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wbem\wmiprvse.exe[536] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[536] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\windows\system32\wbem\wmiprvse.exe[536] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\windows\system32\wbem\wmiprvse.exe[536] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\windows\system32\wbem\wmiprvse.exe[536] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\windows\system32\wbem\wmiprvse.exe[536] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\windows\system32\csrss.exe[548] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wininit.exe[588] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\csrss.exe[604] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\services.exe[652] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00040000 .text C:\windows\system32\services.exe[652] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00040022 .text C:\windows\system32\services.exe[652] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00040011 .text C:\windows\system32\services.exe[652] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00030F79 .text C:\windows\system32\services.exe[652] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 000300E9 .text C:\windows\system32\services.exe[652] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00030F54 .text C:\windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00030FC3 .text C:\windows\system32\services.exe[652] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 0003007D .text C:\windows\system32\services.exe[652] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00030051 .text C:\windows\system32\services.exe[652] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 0003006C .text C:\windows\system32\services.exe[652] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 000300FA .text C:\windows\system32\services.exe[652] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 0003002F .text C:\windows\system32\services.exe[652] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 000300BD .text C:\windows\system32\services.exe[652] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00030FEF .text C:\windows\system32\services.exe[652] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 0003000A .text C:\windows\system32\services.exe[652] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00030040 .text C:\windows\system32\services.exe[652] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00030F8A .text C:\windows\system32\services.exe[652] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00030FD4 .text C:\windows\system32\services.exe[652] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 000300D8 .text C:\windows\system32\services.exe[652] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 0003008E .text C:\windows\system32\services.exe[652] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00060FEF .text C:\windows\system32\services.exe[652] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 0006004E .text C:\windows\system32\services.exe[652] msvcrt.dll!system 76C0B177 5 Bytes JMP 0006003D .text C:\windows\system32\services.exe[652] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00060FCD .text C:\windows\system32\services.exe[652] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00060018 .text C:\windows\system32\services.exe[652] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00060FDE .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00CB0000 .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 00CB0058 .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00CB007A .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00CB0069 .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00CB0011 .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 00CB0095 .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00CB003D .text C:\windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 00CB002C ? C:\windows\system32\services.exe[652] C:\windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll .text C:\windows\system32\services.exe[652] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00050FEF .text C:\windows\system32\winlogon.exe[676] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\lsass.exe[688] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00180FEF .text C:\windows\system32\lsass.exe[688] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00180FCD .text C:\windows\system32\lsass.exe[688] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00180FDE .text C:\windows\system32\lsass.exe[688] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00170065 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00170F06 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00170F17 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00170025 .text C:\windows\system32\lsass.exe[688] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00170F61 .text C:\windows\system32\lsass.exe[688] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00170F8D .text C:\windows\system32\lsass.exe[688] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00170F72 .text C:\windows\system32\lsass.exe[688] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 001700AC .text C:\windows\system32\lsass.exe[688] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00170FB9 .text C:\windows\system32\lsass.exe[688] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00170080 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00170FE5 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 0017000A .text C:\windows\system32\lsass.exe[688] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00170FA8 .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00170F3C .text C:\windows\system32\lsass.exe[688] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\lsass.exe[688] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00170FCA .text C:\windows\system32\lsass.exe[688] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 0017009B .text C:\windows\system32\lsass.exe[688] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00170054 .text C:\windows\system32\lsass.exe[688] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00650FEF .text C:\windows\system32\lsass.exe[688] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00650018 .text C:\windows\system32\lsass.exe[688] msvcrt.dll!system 76C0B177 5 Bytes JMP 00650F97 .text C:\windows\system32\lsass.exe[688] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00650FCD .text C:\windows\system32\lsass.exe[688] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00650FB2 .text C:\windows\system32\lsass.exe[688] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00650FDE .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00700FEF .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 0070003D .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00700FB6 .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00700058 .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00700000 .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 00700F9B .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 0070002C .text C:\windows\system32\lsass.exe[688] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 0070001B .text C:\windows\system32\lsass.exe[688] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00190000 .text C:\windows\system32\lsm.exe[696] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00270FE5 .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00270FB9 .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00270FD4 .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 0026008E .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 002600CB .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 002600BA .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00260022 .text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00260F91 .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00260069 .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00260FA2 .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 00260F1B .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00260033 .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00260F4A .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00260FDB .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00260000 .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 0026004E .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00260F65 .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00260011 .text C:\windows\system32\svchost.exe[812] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 002600A9 .text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00260F80 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00310FE3 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00310027 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!system 76C0B177 5 Bytes JMP 00310016 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00310FB7 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00310FA6 .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00310FD2 .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 004A0FEF .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 004A0FB2 .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 004A0F90 .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 004A0FA1 .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 004A0FDE .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 004A004D .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 004A0FCD .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 004A001E .text C:\windows\system32\svchost.exe[812] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00280000 .text C:\windows\system32\svchost.exe[904] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 0026000A .text C:\windows\system32\svchost.exe[904] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00260025 .text C:\windows\system32\svchost.exe[904] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00260FEF .text C:\windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00200F72 .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 002000D1 .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00200F3C .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00200036 .text C:\windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00200FA8 .text C:\windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00200080 .text C:\windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00200FB9 .text C:\windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 002000EC .text C:\windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00200051 .text C:\windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00200F57 .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00200025 .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00200000 .text C:\windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00200FD4 .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 002000A5 .text C:\windows\system32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00200FEF .text C:\windows\system32\svchost.exe[904] kernel32.dll!WinExec 76B3EDB2 1 Byte [E9] .text C:\windows\system32\svchost.exe[904] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 002000B6 .text C:\windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00200F97 .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00440FEF .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 0044000A .text C:\windows\system32\svchost.exe[904] msvcrt.dll!system 76C0B177 5 Bytes JMP 00440F7F .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00440FB5 .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76C10396 1 Byte [E9] .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00440F9A .text C:\windows\system32\svchost.exe[904] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00440FD2 .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00450FEF .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 00450022 .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00450F9B .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 0045003D .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00450000 .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 00450F8A .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00450FB6 .text C:\windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 00450011 .text C:\windows\system32\svchost.exe[904] WS2_32.dll!socket 76393EB8 5 Bytes JMP 002B0000 .text C:\windows\System32\svchost.exe[976] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 006F0FEF .text C:\windows\System32\svchost.exe[976] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 006F0014 .text C:\windows\System32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 006F0FDE .text C:\windows\System32\svchost.exe[976] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 004E0F2F .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 004E0EF2 .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 004E0F03 .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 004E0011 .text C:\windows\System32\svchost.exe[976] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 004E0F65 .text C:\windows\System32\svchost.exe[976] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 004E0F8A .text C:\windows\System32\svchost.exe[976] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 004E003D .text C:\windows\System32\svchost.exe[976] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 004E0ED7 .text C:\windows\System32\svchost.exe[976] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 004E0FAF .text C:\windows\System32\svchost.exe[976] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 004E0F14 .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 004E0FCA .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 004E0FE5 .text C:\windows\System32\svchost.exe[976] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 004E002C .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 004E0058 .text C:\windows\System32\svchost.exe[976] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\System32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 004E0000 .text C:\windows\System32\svchost.exe[976] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 004E007D .text C:\windows\System32\svchost.exe[976] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 004E0F4A .text C:\windows\System32\svchost.exe[976] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 0075000C .text C:\windows\System32\svchost.exe[976] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00750055 .text C:\windows\System32\svchost.exe[976] msvcrt.dll!system 76C0B177 5 Bytes JMP 00750FCA .text C:\windows\System32\svchost.exe[976] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00750FE5 .text C:\windows\System32\svchost.exe[976] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 0075003A .text C:\windows\System32\svchost.exe[976] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 0075001D .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00760FEF .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 00760047 .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00760FB6 .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00760058 .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 0076000A .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 00760FA5 .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00760036 .text C:\windows\System32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 0076001B .text C:\windows\System32\svchost.exe[976] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00740000 .text C:\windows\System32\svchost.exe[1040] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 003E000A .text C:\windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 003E0FDE .text C:\windows\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 003E0FEF .text C:\windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 003C0065 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 003C0EE1 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 003C0080 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 003C0FB9 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 003C004A .text C:\windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 003C0025 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 003C0F68 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 003C0ED0 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 003C0F9E .text C:\windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 003C0F21 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 003C0000 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 003C0FEF .text C:\windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 003C0F79 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 003C0F3C .text C:\windows\System32\svchost.exe[1040] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 003C0FCA .text C:\windows\System32\svchost.exe[1040] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 003C0F06 .text C:\windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 003C0F57 .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00A90000 .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00A90FC8 .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!system 76C0B177 5 Bytes JMP 00A90FD9 .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00A9002E .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00A90049 .text C:\windows\System32\svchost.exe[1040] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00A90011 .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 003D000A .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 003D0FDE .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 003D0065 .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 003D0FC3 .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 003D0FEF .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 003D0076 .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 003D0040 .text C:\windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 003D002F .text C:\windows\System32\svchost.exe[1040] WS2_32.dll!socket 76393EB8 5 Bytes JMP 003F0FEF .text C:\windows\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00E80FEF .text C:\windows\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00E80FCD .text C:\windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00E80FDE .text C:\windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00DA0062 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00DA00A9 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00DA0F1E .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00DA0FD4 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00DA0F65 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00DA0036 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00DA0047 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 00DA0F03 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00DA0FB9 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00DA0073 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00DA0FE5 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00DA0000 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00DA0F94 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00DA0F39 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00DA0025 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 00DA0098 .text C:\windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00DA0F54 .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00EE0FEF .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00EE0FB9 .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!system 76C0B177 5 Bytes JMP 00EE0044 .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00EE0FDE .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00EE0033 .text C:\windows\system32\svchost.exe[1072] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00EE000C .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00DF0000 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 00DF0051 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00DF0076 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00DF0FD4 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00DF001B .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 00DF0087 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00DF0036 .text C:\windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 00DF0FE5 .text C:\windows\system32\svchost.exe[1072] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00E90FEF .text C:\windows\system32\svchost.exe[1200] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00620FEF .text C:\windows\system32\svchost.exe[1200] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00620FD4 .text C:\windows\system32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00620014 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 006000EC .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00600F61 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00600F7C .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 0060002F .text C:\windows\system32\svchost.exe[1200] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 006000A5 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00600080 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00600FC3 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 00600111 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00600040 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00600FA8 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00600014 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00600FEF .text C:\windows\system32\svchost.exe[1200] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00600065 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 006000D1 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00600FDE .text C:\windows\system32\svchost.exe[1200] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 00600F97 .text C:\windows\system32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 006000C0 .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00640FE3 .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 0064004C .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!system 76C0B177 5 Bytes JMP 00640FB7 .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 0064000C .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 0064001D .text C:\windows\system32\svchost.exe[1200] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00640FD2 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00610000 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 00610FB6 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00610058 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00610047 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00610FDB .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 0061007D .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00610022 .text C:\windows\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 00610011 .text C:\windows\system32\svchost.exe[1200] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00630000 .text C:\Program Files\McAfee\SiteAdvisor\McSACore.exe[1332] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\WLANExt.exe[1336] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\conhost.exe[1352] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[1388] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[1404] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1464] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 01100FE5 .text C:\windows\system32\svchost.exe[1464] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 01100FB9 .text C:\windows\system32\svchost.exe[1464] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 01100FD4 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 006C0F54 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 006C0F39 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 006C00C4 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 006C0FC3 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 006C005B .text C:\windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 006C0F8D .text C:\windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 006C004A .text C:\windows\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 006C00DF .text C:\windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 006C002F .text C:\windows\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 006C0098 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 006C0FE5 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 006C0000 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 006C0FA8 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 006C0087 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 006C0FD4 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 006C00A9 .text C:\windows\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 006C006C .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 0112000C .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 0112006B .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!system 76C0B177 5 Bytes JMP 0112005A .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 0112002E .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 01120049 .text C:\windows\system32\svchost.exe[1464] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 0112001D .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 010F0FE5 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 010F0036 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 010F0F94 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 010F0FA5 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 010F0000 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 010F0F79 .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 010F0FCA .text C:\windows\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 010F0011 .text C:\windows\system32\svchost.exe[1464] WS2_32.dll!socket 76393EB8 5 Bytes JMP 01110FEF .text C:\windows\system32\mfevtps.exe[1520] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\upeksvr.exe[1584] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe[1640] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1748] kernel32.dll!SetUnhandledExceptionFilter 76AFF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1748] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\upeksrvc.exe[1796] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\System32\spoolsv.exe[1896] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1960] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 002D0000 .text C:\windows\system32\svchost.exe[1960] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 002D001B .text C:\windows\system32\svchost.exe[1960] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 002D0FE5 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 001F0F24 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 001F009B .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 001F008A .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 001F0FD4 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 001F0F61 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 001F0F97 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 001F0F7C .text C:\windows\system32\svchost.exe[1960] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 001F00AC .text C:\windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 001F0FB9 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 001F0068 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 001F0011 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 001F0000 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 001F0FA8 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 001F0F35 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[1960] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 001F0FE5 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 001F0079 .text C:\windows\system32\svchost.exe[1960] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 001F0F46 .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00240000 .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00240058 .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!system 76C0B177 5 Bytes JMP 00240047 .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 00240011 .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 0024002C .text C:\windows\system32\svchost.exe[1960] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00240FD7 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 002C000A .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 002C0058 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 002C0FC0 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 002C0FD1 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 002C0025 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 002C0FAF .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 002C0047 .text C:\windows\system32\svchost.exe[1960] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 002C0036 .text C:\windows\system32\wermgr.exe[1988] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[1988] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[1988] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[1988] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\wermgr.exe[1988] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001003FC .text C:\windows\system32\wermgr.exe[1988] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00100804 .text C:\windows\system32\wermgr.exe[1988] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001001F8 .text C:\windows\system32\wermgr.exe[1988] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00100600 .text C:\windows\system32\svchost.exe[2016] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 006F0FEF .text C:\windows\system32\svchost.exe[2016] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 006F0FB9 .text C:\windows\system32\svchost.exe[2016] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 006F0FD4 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 006800C0 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00680F57 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 006800EC .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00680FDE .text C:\windows\system32\svchost.exe[2016] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 0068009B .text C:\windows\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00680FCD .text C:\windows\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00680080 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 006800FD .text C:\windows\system32\svchost.exe[2016] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 0068004A .text C:\windows\system32\svchost.exe[2016] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00680F7C .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00680025 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 0068000A .text C:\windows\system32\svchost.exe[2016] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00680065 .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 00680F8D .text C:\windows\system32\svchost.exe[2016] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[2016] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00680FEF .text C:\windows\system32\svchost.exe[2016] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 006800DB .text C:\windows\system32\svchost.exe[2016] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 00680F9E .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00690FEF .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00690F95 .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!system 76C0B177 5 Bytes JMP 00690FA6 .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 0069000C .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00690FB7 .text C:\windows\system32\svchost.exe[2016] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 00690FDE .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 006E0FE5 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 006E0F94 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 006E0F68 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 006E0F83 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 006E0FD4 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 006E0025 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 006E0000 .text C:\windows\system32\svchost.exe[2016] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 006E0FB9 .text C:\windows\system32\svchost.exe[2016] WS2_32.dll!socket 76393EB8 5 Bytes JMP 0062000A .text C:\windows\system32\rundll32.exe[2060] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001703FC .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001701F8 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002003FC .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00200804 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00200600 .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 002F0000 .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 002F0FE5 .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 002F0011 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 00240F54 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00240F1E .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00240F2F .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00240FD4 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 00240F83 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00240FA8 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 0024005B .text C:\windows\system32\svchost.exe[2120] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 00240EF9 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00240FB9 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 00240098 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 0024000A .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 00240FEF .text C:\windows\system32\svchost.exe[2120] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 0024004A .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 0024007D .text C:\windows\system32\svchost.exe[2120] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 0024002F .text C:\windows\system32\svchost.exe[2120] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 002400A9 .text C:\windows\system32\svchost.exe[2120] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 0024006C .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 002D0000 .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 002D0F7F .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!system 76C0B177 5 Bytes JMP 002D0F90 .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 002D0FBC .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 002D0FAB .text C:\windows\system32\svchost.exe[2120] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 002D0FE3 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 002E0000 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 002E0047 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 002E0073 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 002E0062 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 002E0025 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 002E008E .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 002E0FE5 .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 002E0036 .text C:\windows\system32\svchost.exe[2120] WS2_32.dll!socket 76393EB8 5 Bytes JMP 00230000 .text C:\windows\System32\IgrsSvcs.exe[2140] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2160] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2264] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[2300] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00240000 .text C:\windows\system32\svchost.exe[2300] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00240FCA .text C:\windows\system32\svchost.exe[2300] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00240FE5 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 002100D1 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 0021011B .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00210F7C .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 00210040 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 0021008A .text C:\windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 00210FC3 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 00210FB2 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 00210F61 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 00210051 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 002100EC .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 00210025 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 0021000A .text C:\windows\system32\svchost.exe[2300] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 00210FD4 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 002100B6 .text C:\windows\system32\svchost.exe[2300] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[2300] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 00210FEF .text C:\windows\system32\svchost.exe[2300] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 00210F8D .text C:\windows\system32\svchost.exe[2300] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 0021009B .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 00220FE3 .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 00220038 .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!system 76C0B177 5 Bytes JMP 00220FAD .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 0022001D .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 00220FBE .text C:\windows\system32\svchost.exe[2300] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 0022000C .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 00230000 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 0023006C .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 00230098 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 00230087 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 00230011 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 002300B3 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 00230047 .text C:\windows\system32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 0023002C .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[2452] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 000F0A08 .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000F03FC .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 000F0804 .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000F01F8 .text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[2612] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 000F0600 .text C:\windows\system32\wermgr.exe[2668] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[2668] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[2668] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[2668] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00240A08 .text C:\windows\system32\wermgr.exe[2668] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002403FC .text C:\windows\system32\wermgr.exe[2668] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00240804 .text C:\windows\system32\wermgr.exe[2668] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002401F8 .text C:\windows\system32\wermgr.exe[2668] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00240600 .text C:\windows\system32\taskhost.exe[2964] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000503FC .text C:\windows\system32\taskhost.exe[2964] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000501F8 .text C:\windows\system32\taskhost.exe[2964] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\taskhost.exe[2964] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 000E0A08 .text C:\windows\system32\taskhost.exe[2964] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000E03FC .text C:\windows\system32\taskhost.exe[2964] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 000E0804 .text C:\windows\system32\taskhost.exe[2964] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000E01F8 .text C:\windows\system32\taskhost.exe[2964] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 000E0600 .text C:\windows\system32\Dwm.exe[3044] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\Dwm.exe[3044] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\Dwm.exe[3044] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\Dwm.exe[3044] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 000F0A08 .text C:\windows\system32\Dwm.exe[3044] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000F03FC .text C:\windows\system32\Dwm.exe[3044] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 000F0804 .text C:\windows\system32\Dwm.exe[3044] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000F01F8 .text C:\windows\system32\Dwm.exe[3044] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 6E9F9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 6E9F9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00150A08 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001503FC .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00150804 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001501F8 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3064] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00150600 .text C:\windows\Explorer.EXE[3260] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 04290000 .text C:\windows\Explorer.EXE[3260] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 04290FEF .text C:\windows\Explorer.EXE[3260] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 0429001B .text C:\windows\Explorer.EXE[3260] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\Explorer.EXE[3260] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\Explorer.EXE[3260] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 04170F80 .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 041700FA .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 041700DF .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 04170036 .text C:\windows\Explorer.EXE[3260] kernel32.dll!VirtualProtect 76AF2BCD 5 Bytes JMP 0417007D .text C:\windows\Explorer.EXE[3260] kernel32.dll!LoadLibraryExA 76AF4466 5 Bytes JMP 04170051 .text C:\windows\Explorer.EXE[3260] kernel32.dll!LoadLibraryExW 76AF5079 5 Bytes JMP 04170062 .text C:\windows\Explorer.EXE[3260] kernel32.dll!GetProcAddress 76AFCC94 5 Bytes JMP 04170F40 .text C:\windows\Explorer.EXE[3260] kernel32.dll!LoadLibraryA 76AFDC65 5 Bytes JMP 04170FCA .text C:\windows\Explorer.EXE[3260] kernel32.dll!GetStartupInfoW 76AFE2DD 5 Bytes JMP 041700C4 .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateFileW 76AFE8A5 5 Bytes JMP 0417001B .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateFileA 76AFEA61 5 Bytes JMP 04170000 .text C:\windows\Explorer.EXE[3260] kernel32.dll!LoadLibraryW 76AFEF42 5 Bytes JMP 04170FAF .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 041700A9 .text C:\windows\Explorer.EXE[3260] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\Explorer.EXE[3260] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 04170FE5 .text C:\windows\Explorer.EXE[3260] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 04170F6F .text C:\windows\Explorer.EXE[3260] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 04170098 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 04280000 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 04280FDB .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 04280FB6 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 04280062 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 0428001B .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 04280FA5 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 04280047 .text C:\windows\Explorer.EXE[3260] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 04280036 .text C:\windows\Explorer.EXE[3260] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 04260000 .text C:\windows\Explorer.EXE[3260] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 04260047 .text C:\windows\Explorer.EXE[3260] msvcrt.dll!system 76C0B177 5 Bytes JMP 04260FBC .text C:\windows\Explorer.EXE[3260] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 04260FCD .text C:\windows\Explorer.EXE[3260] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 04260022 .text C:\windows\Explorer.EXE[3260] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 04260011 .text C:\windows\Explorer.EXE[3260] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00110A08 .text C:\windows\Explorer.EXE[3260] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001103FC .text C:\windows\Explorer.EXE[3260] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00110804 .text C:\windows\Explorer.EXE[3260] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001101F8 .text C:\windows\Explorer.EXE[3260] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00110600 .text C:\windows\Explorer.EXE[3260] WININET.dll!InternetOpenW 76E39197 5 Bytes JMP 04270FE5 .text C:\windows\Explorer.EXE[3260] WININET.dll!InternetOpenA 76E3F18E 5 Bytes JMP 04270000 .text C:\windows\Explorer.EXE[3260] WININET.dll!InternetOpenUrlA 76E530E9 5 Bytes JMP 04270025 .text C:\windows\Explorer.EXE[3260] WININET.dll!InternetOpenUrlW 76E8BF94 5 Bytes JMP 04270040 .text C:\windows\Explorer.EXE[3260] WS2_32.dll!socket 76393EB8 5 Bytes JMP 03F80FEF .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00200804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3424] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00200600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002003FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00200804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3472] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00200600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3556] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002003FC .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00200804 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002001F8 .text C:\Program Files\Lenovo\VeriFace\PManage.exe[3632] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00200600 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002F03FC .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 002F0804 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002F01F8 .text C:\Program Files\Lenovo\Energy Management\utility.exe[3652] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 002F0600 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002103FC .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00210804 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002101F8 .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[3688] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00210600 .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00180A08 .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001803FC .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00180804 .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001801F8 .text C:\Program Files\McAfee.com\Agent\mcagent.exe[3708] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00180600 .text C:\Windows\System32\igfxtray.exe[3724] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxtray.exe[3724] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxtray.exe[3724] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\System32\igfxtray.exe[3724] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00190A08 .text C:\Windows\System32\igfxtray.exe[3724] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001903FC .text C:\Windows\System32\igfxtray.exe[3724] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00190804 .text C:\Windows\System32\igfxtray.exe[3724] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001901F8 .text C:\Windows\System32\igfxtray.exe[3724] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00190600 .text C:\Windows\System32\hkcmd.exe[3736] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\hkcmd.exe[3736] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\hkcmd.exe[3736] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[3736] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\hkcmd.exe[3736] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002003FC .text C:\Windows\System32\hkcmd.exe[3736] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\hkcmd.exe[3736] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\hkcmd.exe[3736] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00200600 .text C:\Windows\System32\igfxpers.exe[3744] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Windows\System32\igfxpers.exe[3744] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Windows\System32\igfxpers.exe[3744] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[3744] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00210A08 .text C:\Windows\System32\igfxpers.exe[3744] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002103FC .text C:\Windows\System32\igfxpers.exe[3744] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00210804 .text C:\Windows\System32\igfxpers.exe[3744] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002101F8 .text C:\Windows\System32\igfxpers.exe[3744] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00210600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3752] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\servicing\TrustedInstaller.exe[3836] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000503FC .text C:\windows\servicing\TrustedInstaller.exe[3836] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000501F8 .text C:\windows\servicing\TrustedInstaller.exe[3836] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\servicing\TrustedInstaller.exe[3836] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00080A08 .text C:\windows\servicing\TrustedInstaller.exe[3836] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000803FC .text C:\windows\servicing\TrustedInstaller.exe[3836] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00080804 .text C:\windows\servicing\TrustedInstaller.exe[3836] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000801F8 .text C:\windows\servicing\TrustedInstaller.exe[3836] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00080600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3856] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00210600 .text C:\Windows\System32\rundll32.exe[3864] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000B03FC .text C:\Windows\System32\rundll32.exe[3864] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000B01F8 .text C:\Windows\System32\rundll32.exe[3864] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3864] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\rundll32.exe[3864] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\Windows\System32\rundll32.exe[3864] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\rundll32.exe[3864] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\rundll32.exe[3864] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\rundll32.exe[3872] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[3872] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[3872] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3872] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\rundll32.exe[3872] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000903FC .text C:\Windows\System32\rundll32.exe[3872] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00090804 .text C:\Windows\System32\rundll32.exe[3872] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\rundll32.exe[3872] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00090600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001103FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00110804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001101F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3888] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00110600 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001503FC .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001501F8 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001F03FC .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[4220] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 001F0600 .text C:\windows\system32\SearchIndexer.exe[4324] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\SearchIndexer.exe[4324] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\SearchIndexer.exe[4324] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\SearchIndexer.exe[4324] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\windows\system32\SearchIndexer.exe[4324] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\windows\system32\SearchIndexer.exe[4324] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\windows\system32\SearchIndexer.exe[4324] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\windows\system32\SearchIndexer.exe[4324] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\windows\system32\wermgr.exe[4408] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[4408] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[4408] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[4408] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\wermgr.exe[4408] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001003FC .text C:\windows\system32\wermgr.exe[4408] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00100804 .text C:\windows\system32\wermgr.exe[4408] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001001F8 .text C:\windows\system32\wermgr.exe[4408] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00100600 .text C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4528] KERNEL32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\taskmgr.exe[4864] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000A03FC .text C:\windows\system32\taskmgr.exe[4864] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000A01F8 .text C:\windows\system32\taskmgr.exe[4864] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\taskmgr.exe[4864] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\windows\system32\taskmgr.exe[4864] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\windows\system32\taskmgr.exe[4864] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\windows\system32\taskmgr.exe[4864] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\windows\system32\taskmgr.exe[4864] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\windows\system32\svchost.exe[5200] ntdll.dll!NtCreateFile 771F55C8 5 Bytes JMP 00580FE5 .text C:\windows\system32\svchost.exe[5200] ntdll.dll!NtCreateProcess 771F5698 5 Bytes JMP 00580000 .text C:\windows\system32\svchost.exe[5200] ntdll.dll!NtProtectVirtualMemory 771F5F18 5 Bytes JMP 00580FCA .text C:\windows\system32\svchost.exe[5200] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\svchost.exe[5200] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetStartupInfoA 76AB1E10 5 Bytes JMP 003B0F6F .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 003B00C4 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 003B0F39 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateNamedPipeW 76AE2D47 5 Bytes JMP 003B0036 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!VirtualProtect 76AF2BCD 3 Bytes JMP 003B0062 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!VirtualProtect + 4 76AF2BD1 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryExA 76AF4466 3 Bytes JMP 003B0FAF .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryExA + 4 76AF446A 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryExW 76AF5079 3 Bytes JMP 003B0F8A .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryExW + 4 76AF507D 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetProcAddress 76AFCC94 3 Bytes JMP 003B00D5 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetProcAddress + 4 76AFCC98 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryA 76AFDC65 3 Bytes JMP 003B0FD4 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryA + 4 76AFDC69 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetStartupInfoW 76AFE2DD 3 Bytes JMP 003B00A9 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetStartupInfoW + 4 76AFE2E1 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateFileW 76AFE8A5 3 Bytes JMP 003B000A .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateFileW + 4 76AFE8A9 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateFileA 76AFEA61 3 Bytes JMP 003B0FEF .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateFileA + 4 76AFEA65 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryW 76AFEF42 3 Bytes JMP 003B0051 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!LoadLibraryW + 4 76AFEF46 1 Byte [89] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreatePipe 76B112A6 5 Bytes JMP 003B0098 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\svchost.exe[5200] kernel32.dll!CreateNamedPipeA 76B3DBA8 5 Bytes JMP 003B0025 .text C:\windows\system32\svchost.exe[5200] kernel32.dll!WinExec 76B3EDB2 5 Bytes JMP 003B0F4A .text C:\windows\system32\svchost.exe[5200] kernel32.dll!VirtualProtectEx 76B3FD51 5 Bytes JMP 003B007D .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!_open 76BD7E48 5 Bytes JMP 003C000C .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!_wsystem 76C0B057 5 Bytes JMP 003C0066 .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!system 76C0B177 5 Bytes JMP 003C004B .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!_creat 76C0ED31 5 Bytes JMP 003C0FEF .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!_wcreat 76C10396 5 Bytes JMP 003C003A .text C:\windows\system32\svchost.exe[5200] msvcrt.dll!_wopen 76C10578 5 Bytes JMP 003C0029 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegOpenKeyA 76FBCC15 5 Bytes JMP 003D0FE5 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegCreateKeyA 76FBCD01 5 Bytes JMP 003D0FC3 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegCreateKeyExA 76FC1469 5 Bytes JMP 003D0F9E .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegCreateKeyW 76FC1514 5 Bytes JMP 003D0040 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegOpenKeyW 76FC2459 5 Bytes JMP 003D0000 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegCreateKeyExW 76FC40FE 5 Bytes JMP 003D005B .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegOpenKeyExW 76FC468D 5 Bytes JMP 003D0025 .text C:\windows\system32\svchost.exe[5200] ADVAPI32.dll!RegOpenKeyExA 76FC4907 5 Bytes JMP 003D0FD4 .text C:\windows\system32\svchost.exe[5200] WS2_32.dll!socket 76393EB8 5 Bytes JMP 003A0FEF .text C:\windows\system32\wermgr.exe[5332] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[5332] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[5332] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[5332] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\wermgr.exe[5332] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001003FC .text C:\windows\system32\wermgr.exe[5332] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00100804 .text C:\windows\system32\wermgr.exe[5332] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001001F8 .text C:\windows\system32\wermgr.exe[5332] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00100600 .text C:\windows\system32\wbem\unsecapp.exe[5424] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wbem\unsecapp.exe[5424] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wbem\unsecapp.exe[5424] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wbem\unsecapp.exe[5424] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 000F0A08 .text C:\windows\system32\wbem\unsecapp.exe[5424] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000F03FC .text C:\windows\system32\wbem\unsecapp.exe[5424] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 000F0804 .text C:\windows\system32\wbem\unsecapp.exe[5424] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000F01F8 .text C:\windows\system32\wbem\unsecapp.exe[5424] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 000F0600 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001503FC .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001501F8 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001F03FC .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[5460] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 001F0600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00090A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000903FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00090804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000901F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5936] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00090600 .text C:\windows\system32\wermgr.exe[6024] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[6024] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[6024] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[6024] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00100A08 .text C:\windows\system32\wermgr.exe[6024] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001003FC .text C:\windows\system32\wermgr.exe[6024] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00100804 .text C:\windows\system32\wermgr.exe[6024] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001001F8 .text C:\windows\system32\wermgr.exe[6024] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00100600 .text C:\windows\system32\wermgr.exe[6344] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000A03FC .text C:\windows\system32\wermgr.exe[6344] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000A01F8 .text C:\windows\system32\wermgr.exe[6344] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[6344] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\windows\system32\wermgr.exe[6344] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\windows\system32\wermgr.exe[6344] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\windows\system32\wermgr.exe[6344] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\windows\system32\wermgr.exe[6344] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\windows\system32\wermgr.exe[6896] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[6896] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[6896] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[6896] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00110A08 .text C:\windows\system32\wermgr.exe[6896] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001103FC .text C:\windows\system32\wermgr.exe[6896] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00110804 .text C:\windows\system32\wermgr.exe[6896] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001101F8 .text C:\windows\system32\wermgr.exe[6896] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00110600 .text C:\windows\system32\wermgr.exe[6928] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[6928] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[6928] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[6928] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00240A08 .text C:\windows\system32\wermgr.exe[6928] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002403FC .text C:\windows\system32\wermgr.exe[6928] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00240804 .text C:\windows\system32\wermgr.exe[6928] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002401F8 .text C:\windows\system32\wermgr.exe[6928] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00240600 .text C:\windows\system32\wermgr.exe[7136] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[7136] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[7136] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[7136] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 000A0A08 .text C:\windows\system32\wermgr.exe[7136] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000A03FC .text C:\windows\system32\wermgr.exe[7136] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 000A0804 .text C:\windows\system32\wermgr.exe[7136] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000A01F8 .text C:\windows\system32\wermgr.exe[7136] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 000A0600 .text C:\windows\system32\wermgr.exe[7652] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[7652] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[7652] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[7652] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00090A08 .text C:\windows\system32\wermgr.exe[7652] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000903FC .text C:\windows\system32\wermgr.exe[7652] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00090804 .text C:\windows\system32\wermgr.exe[7652] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000901F8 .text C:\windows\system32\wermgr.exe[7652] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00090600 .text C:\windows\system32\wermgr.exe[7904] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[7904] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[7904] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[7904] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00090A08 .text C:\windows\system32\wermgr.exe[7904] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000903FC .text C:\windows\system32\wermgr.exe[7904] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00090804 .text C:\windows\system32\wermgr.exe[7904] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000901F8 .text C:\windows\system32\wermgr.exe[7904] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00090600 .text C:\windows\system32\wermgr.exe[9104] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[9104] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[9104] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[9104] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00240A08 .text C:\windows\system32\wermgr.exe[9104] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 002403FC .text C:\windows\system32\wermgr.exe[9104] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00240804 .text C:\windows\system32\wermgr.exe[9104] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 002401F8 .text C:\windows\system32\wermgr.exe[9104] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00240600 .text C:\windows\system32\wermgr.exe[9436] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[9436] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[9436] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[9436] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00140A08 .text C:\windows\system32\wermgr.exe[9436] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001403FC .text C:\windows\system32\wermgr.exe[9436] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00140804 .text C:\windows\system32\wermgr.exe[9436] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001401F8 .text C:\windows\system32\wermgr.exe[9436] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00140600 .text C:\windows\system32\wermgr.exe[9952] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\windows\system32\wermgr.exe[9952] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\windows\system32\wermgr.exe[9952] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\windows\system32\wermgr.exe[9952] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00190A08 .text C:\windows\system32\wermgr.exe[9952] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 001903FC .text C:\windows\system32\wermgr.exe[9952] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00190804 .text C:\windows\system32\wermgr.exe[9952] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 001901F8 .text C:\windows\system32\wermgr.exe[9952] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00190600 .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 000603FC .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 000601F8 .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 00090A08 .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 000903FC .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 00090804 .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 000901F8 .text C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe[10472] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 00090600 .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] ntdll.dll!LdrUnloadDll 7720C86E 5 Bytes JMP 001603FC .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] ntdll.dll!LdrLoadDll 7721223E 5 Bytes JMP 001601F8 .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] kernel32.dll!GetBinaryTypeW + 70 76B169F4 1 Byte [62] .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] USER32.dll!UnhookWindowsHookEx 7730ADF9 5 Bytes JMP 004C0A08 .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] USER32.dll!UnhookWinEvent 7730B750 5 Bytes JMP 004C03FC .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] USER32.dll!SetWindowsHookExW 7730E30C 5 Bytes JMP 004C0804 .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] USER32.dll!SetWinEventHook 773124DC 5 Bytes JMP 004C01F8 .text C:\Users\Patryk\Downloads\j62fegyg.exe[10936] USER32.dll!SetWindowsHookExA 77336D0C 5 Bytes JMP 004C0600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 51EC8B55 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 8B565351 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!DbgPrintEx] FF560875 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 6F510815 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtClose] 85D88B00 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] C2840FDB IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenFile] 57000000 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 0068406A IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] FF000010 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 006A5073 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 508415FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] F88B006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 85FC7D89 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_alldiv] 9E840FFF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 8B000000 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_allmul] A4F3544B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtFlushKey] 1443B70F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 0653B70F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 1818448D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateKey] 8B0CC083 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 08758B08 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] 03FC7D8B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 8BF903F1 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] C083FC48 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] A4F34A28 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 758BE975 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 443D8BFC IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 2B006F51 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 458D0875 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 056A50F8 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 75FF016A IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] 85D7FFFC IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateFile] EB2574C0 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenKey] 04488B1D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 56F84D29 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8B08508D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] FC450300 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 52F8C183 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 5051E9D1 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 514015FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 7D83006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] DD7500F8 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 50F8458D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 016A016A IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FFFC75FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtReadFile] 74C085D7 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_chkstk] 0C488D20 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] C085018B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] F18B1774 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 03FC4D8B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 15FF50C1 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] [006F5080] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_stricmp] 8B14C683 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!qsort] 75C08506 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FC458BEB IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] C95B5E5F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 560004C2 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 7140BF57 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!memcpy] 8B57006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_wcsicmp] 7C15FFF1 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 6A006F50 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!iswspace] 3C83580F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 6F715885 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] 09740000 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 8548C88B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlTestBit] EBEF75C9 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 85348907 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [006F7158] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 3415FF57 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] 5F006F50 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] 5756C35E IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 6F7140BF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlGetAce] F18B5700 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 507C15FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 0F6A006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 85343958 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] [006F7158] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] C88B0974 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 75C98548 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!memset] 8308EBF0 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] 71588524 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateSection] 5700006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 503415FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 5E5F006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtResumeThread] 800068C3 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 006A0000 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 7815FF51 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 50006F50 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 513C15FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 55C3006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5351EC8B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtWriteFile] 35FF5756 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_wcsupr] [006F7198] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 513815FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 8D59006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpReleaseWork] E8400044 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpPostWork] 00002B8C IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpAllocWork] 75FFFC8B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetEvent] FC7D8908 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 719835FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EC68006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 57006F53 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetBits] 513415FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] DB33006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 3910C483 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 6E7D085D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FFF63357 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 6F507415 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 85F88B00 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 8D3774FF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 6A500845 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] FF575602 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 6F513015 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 7CC08500 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF556A25 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 15FFFC75 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] [006F512C] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] C9335959 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] 08896657 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtConnectPort] FFFE1FE8 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85D88BFF IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8B0774DB IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] F72B0875 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF57F303 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 6F507015 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 74F68500 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] FC4D8B53 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 6F7084BA IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 85D6FF00 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 684575C0 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] 00008000 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlClearBits] 15FF5350 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] [006F5078] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtClearEvent] 5D3936EB IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] BB31740C IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] [006F7140] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 7C15FF53 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlFreeSid] BE006F50 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] [006F7194] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] C085068B IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] 4D8B0774 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!TpAllocPool] FFD78B08 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 83C68BD0 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 583D04EE IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] 75006F71 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 15FF53E7 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtDelayExecution] [006F5034] C:\windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 5FF0658D IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C2C95B5E IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 8B550008 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] B8EC81EC IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 53000008 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!wcstoul] 0B6A5756 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 5420BE59 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] BD8D006F IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlUnwind] FFFFFF4C IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 526AA5F3 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] 858DFF33 IAT C:\windows\system32\services.exe[652] @ C:\windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] FFFFFF78 IAT C:\windows\system32\mfevtps.exe[1520] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00B277A0] C:\windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1748] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [712BF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\windows\system32\rundll32.exe[2060] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[2060] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[2060] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[2060] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Lenovo\LenovoSecuritySolution FP\psqltray.exe[2080] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3752] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [712BF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\System32\rundll32.exe[3864] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3864] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3864] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3864] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3872] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3872] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3872] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3872] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7523FFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device aswSP.SYS (avast! self protection module/AVAST Software) Device Ntfs.sys (Sterownik systemu plików NT/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:6112] ACF73730 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c7b2c8681 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c7b2c8681 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) ---- EOF - GMER 1.0.15 ----