GMER 2.1.19324 - http://www.gmer.net Rootkit scan 2014-01-20 14:12:01 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GH10 298,09GB Running: 86wxnn2b.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\uglorfow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001002b075c .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010017075c .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001703a4 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100170b14 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100170ecc .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100171284 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010037075c .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100371284 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\winlogon.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7a6e00 5 bytes JMP 000007ff7d7c1dac .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7a6f2c 5 bytes JMP 000007ff7d7c0ecc .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7a7220 5 bytes JMP 000007ff7d7c1284 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7a739c 5 bytes JMP 000007ff7d7c163c .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7a7538 5 bytes JMP 000007ff7d7c19f4 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7a75e8 5 bytes JMP 000007ff7d7c03a4 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7a790c 5 bytes JMP 000007ff7d7c075c .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7a7ab4 5 bytes JMP 000007ff7d7c0b14 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010044075c .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001004403a4 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100440b14 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100440ecc .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100441284 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010010075c .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100101284 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7a6e00 5 bytes JMP 000007ff7d7c1dac .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7a6f2c 5 bytes JMP 000007ff7d7c0ecc .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7a7220 5 bytes JMP 000007ff7d7c1284 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7a739c 5 bytes JMP 000007ff7d7c163c .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7a7538 5 bytes JMP 000007ff7d7c19f4 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7a75e8 5 bytes JMP 000007ff7d7c03a4 .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7a790c 5 bytes JMP 000007ff7d7c075c .text C:\Windows\system32\svchost.exe[656] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7a7ab4 5 bytes JMP 000007ff7d7c0b14 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010042075c .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001004203a4 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100420b14 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100420ecc .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100421284 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7a6e00 5 bytes JMP 000007ff7d7c1dac .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7a6f2c 5 bytes JMP 000007ff7d7c0ecc .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7a7220 5 bytes JMP 000007ff7d7c1284 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7a739c 5 bytes JMP 000007ff7d7c163c .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7a7538 5 bytes JMP 000007ff7d7c19f4 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7a75e8 5 bytes JMP 000007ff7d7c03a4 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7a790c 5 bytes JMP 000007ff7d7c075c .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7a7ab4 5 bytes JMP 000007ff7d7c0b14 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001003e075c .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001003e03a4 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001003e0b14 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001003e0ecc .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001003e1284 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\Dwm.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001001f075c .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001f03a4 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001001f0b14 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001001f0ecc .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001001f1284 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\Explorer.EXE[1552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7a6e00 5 bytes JMP 000007ff7d7c1dac .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7a6f2c 5 bytes JMP 000007ff7d7c0ecc .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7a7220 5 bytes JMP 000007ff7d7c1284 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7a739c 5 bytes JMP 000007ff7d7c163c .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7a7538 5 bytes JMP 000007ff7d7c19f4 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7a75e8 5 bytes JMP 000007ff7d7c03a4 .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7a790c 5 bytes JMP 000007ff7d7c075c .text C:\Windows\Explorer.EXE[1552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7a7ab4 5 bytes JMP 000007ff7d7c0b14 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 5 bytes JMP 00000000774b0380 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 00000000774b0370 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 00000000774b0390 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x160390} .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 00000000774b0320 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 00000000774b02e0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x160190} .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 00000000774b02d0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 00000000774b0310 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 00000000774b0230 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 00000000774b03a0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 00000000774b02f0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 00000000774b0350 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x15fc90} .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 00000000774b0290 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 00000000774b02b0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 00000000774b0330 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 00000000774b0240 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 00000000774b01e0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 00000000774b0250 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 00000000774b03b0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 00000000774b03c0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 00000000774b0300 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x15f690} .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 00000000774b0360 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 00000000774b02a0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 00000000774b02c0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x15f590} .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 00000000774b0340 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 00000000774b0260 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 00000000774b0270 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 00000000774b01f0 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 00000000774b0210 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 00000000774b0200 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 00000000774b0220 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 00000000774b0280 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001008201f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001008203fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 0000000100820600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 0000000100820804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 5 bytes JMP 0000000100820a08 .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001001c0600 .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001001c0804 .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001001c0a08 .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001001c01f8 .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001001c03fc .text C:\Windows\SysWOW64\ntdll.dll[3924] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\SearchIndexer.exe[5028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[5852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 3 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtAvAC.exe[5300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 00000000753d0f00 1 byte [8B] .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075801401 2 bytes JMP 752beb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075801419 2 bytes JMP 752cb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075801431 2 bytes JMP 75348609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007580144a 2 bytes CALL 752a1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758014dd 2 bytes JMP 75347efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758014f5 2 bytes JMP 753480d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007580150d 2 bytes JMP 75347df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075801525 2 bytes JMP 753481c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007580153d 2 bytes JMP 752bf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075801555 2 bytes JMP 752cb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007580156d 2 bytes JMP 753486c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075801585 2 bytes JMP 75348222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007580159d 2 bytes JMP 75347db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758015b5 2 bytes JMP 752bf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758015cd 2 bytes JMP 752cb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758016b2 2 bytes JMP 75348584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Safari.exe[5700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758016bd 2 bytes JMP 75347d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [5700] entry point in ".rdata" section 00000000694a71e6 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdCommandDispatch + 8 000000002f5518cc 2 bytes JMP 6a0d1275 C:\Program Files (x86)\Microsoft Office\Office12\wwlib.dll .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 4 000000002f5518d2 2 bytes JMP 6a071c06 C:\Program Files (x86)\Microsoft Office\Office12\wwlib.dll .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 166 000000002f551974 2 bytes [55, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000752ad03c 5 bytes JMP 000000016746531d .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000765c5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000765c5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765c53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765c54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765c55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000765c567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000765c589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000765c5a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[7108] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 5 bytes JMP 0000000100120a08 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077322ef0 5 bytes JMP 000000010015075c .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077334770 5 bytes JMP 00000001001503a4 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007734fe00 4 bytes JMP 000000007fff0380 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007734fe50 5 bytes JMP 000000007fff0370 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007734fed0 5 bytes JMP 0000000100150b14 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007734ff30 5 bytes JMP 0000000100150ecc .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077350000 1 byte JMP 000000007fff0390 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077350002 3 bytes {JMP 0x8ca0390} .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773500c0 5 bytes JMP 000000007fff0320 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077350150 1 byte JMP 000000007fff02e0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000077350152 3 bytes {JMP 0x8ca0190} .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773501d0 5 bytes JMP 000000007fff02d0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773501f0 5 bytes JMP 000000007fff0310 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077350250 5 bytes JMP 0000000100151284 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773503e0 5 bytes JMP 000000007fff0230 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773505a0 5 bytes JMP 000000007fff03a0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773506b0 5 bytes JMP 000000007fff02f0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773506c0 1 byte JMP 000000007fff0350 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00000000773506c2 3 bytes {JMP 0x8c9fc90} .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077350720 5 bytes JMP 000000007fff0290 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773507b0 5 bytes JMP 000000007fff02b0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773507e0 5 bytes JMP 000000007fff0330 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077350880 5 bytes JMP 000000007fff0240 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077350b40 5 bytes JMP 000000007fff01e0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077350c00 5 bytes JMP 000000007fff0250 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077350c30 5 bytes JMP 000000007fff03b0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077350c40 5 bytes JMP 000000007fff03c0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077350c70 1 byte JMP 000000007fff0300 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000077350c72 3 bytes {JMP 0x8c9f690} .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077350c80 5 bytes JMP 000000007fff0360 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077350ce0 5 bytes JMP 000000007fff02a0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077350d30 1 byte JMP 000000007fff02c0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000077350d32 3 bytes {JMP 0x8c9f590} .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077350d70 5 bytes JMP 000000007fff0340 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077351260 5 bytes JMP 000000007fff0260 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077351270 5 bytes JMP 000000007fff0270 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077351440 5 bytes JMP 000000007fff01f0 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077351450 5 bytes JMP 000000007fff0210 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773514c0 5 bytes JMP 000000007fff0200 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077351540 5 bytes JMP 000000007fff0220 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077351620 5 bytes JMP 000000007fff0280 .text C:\Windows\splwow64.exe[6892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007713f1bd 1 byte [62] .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7a6e00 5 bytes JMP 000007ff7d7c1dac .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7a6f2c 5 bytes JMP 000007ff7d7c0ecc .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7a7220 5 bytes JMP 000007ff7d7c1284 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7a739c 5 bytes JMP 000007ff7d7c163c .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7a7538 5 bytes JMP 000007ff7d7c19f4 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7a75e8 5 bytes JMP 000007ff7d7c03a4 .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7a790c 5 bytes JMP 000007ff7d7c075c .text C:\Windows\splwow64.exe[6892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7a7ab4 5 bytes JMP 000007ff7d7c0b14 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001000c0a08 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000765c5181 5 bytes JMP 00000001000e1014 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000765c5254 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765c53d5 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765c54c2 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765c55e2 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000765c567c 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000765c589f 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000765c5a22 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075801401 2 bytes JMP 752beb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075801419 2 bytes JMP 752cb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075801431 2 bytes JMP 75348609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007580144a 2 bytes CALL 752a1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758014dd 2 bytes JMP 75347efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758014f5 2 bytes JMP 753480d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007580150d 2 bytes JMP 75347df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075801525 2 bytes JMP 753481c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007580153d 2 bytes JMP 752bf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075801555 2 bytes JMP 752cb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007580156d 2 bytes JMP 753486c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075801585 2 bytes JMP 75348222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007580159d 2 bytes JMP 75347db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758015b5 2 bytes JMP 752bf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758015cd 2 bytes JMP 752cb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758016b2 2 bytes JMP 75348584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Safari\Apple Application Support\WebKit2WebProcess.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758016bd 2 bytes JMP 75347d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000774ffa50 5 bytes JMP 00000001001c0600 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000774ffae8 5 bytes JMP 00000001001c0804 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000774fffc8 5 bytes JMP 00000001001c0a08 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007751c096 5 bytes JMP 00000001001c01f8 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077521087 5 bytes JMP 00000001001c03fc .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752cb0c5 1 byte [62] .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000753af0e6 5 bytes JMP 00000001003e01f8 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000753b3907 5 bytes JMP 00000001003e03fc .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000753b8364 5 bytes JMP 00000001003e0600 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753c06b3 5 bytes JMP 00000001003e0804 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000753d0efc 3 bytes JMP 00000001003e0a08 .text C:\Users\Micha許Downloads\86wxnn2b.exe[2408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 00000000753d0f00 1 byte [8B] ---- Modules - GMER 2.1 ---- Module \??\C:\Users\MICHA~1\AppData\Local\Temp\uglorfow.sys (GMER) fffff880079e0000-fffff880079f0000 (65536 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [688:796] 000007fefc6c94c4 Thread C:\Windows\system32\svchost.exe [816:864] 000007fefc56332c Thread C:\Windows\system32\svchost.exe [816:868] 000007fefc5610b0 Thread C:\Windows\System32\svchost.exe [1012:1076] 000007fefbb6f440 Thread C:\Windows\System32\svchost.exe [1012:1092] 000007fefbc66204 Thread C:\Windows\System32\svchost.exe [1012:1216] 000007fefaeb2070 Thread C:\Windows\System32\svchost.exe [1012:1236] 000007fefada5440 Thread C:\Windows\System32\svchost.exe [1012:2520] 000007fef0c56b8c Thread C:\Windows\System32\svchost.exe [1012:3836] 000007fef0c51d88 Thread C:\Windows\System32\svchost.exe [1012:232] 000007fefadeaae4 Thread C:\Windows\System32\svchost.exe [612:1324] 000007fefa8659a0 Thread C:\Windows\System32\svchost.exe [612:1492] 000007fefcd01a70 Thread C:\Windows\System32\svchost.exe [612:5904] 000007feef397750 Thread C:\Windows\System32\svchost.exe [612:5876] 000007feef6f88f8 Thread C:\Windows\system32\svchost.exe [656:2956] 000007fef45e67dc Thread C:\Windows\system32\svchost.exe [656:2980] 000007fef2e61a50 Thread C:\Windows\system32\svchost.exe [656:3652] 000007fefcd01a70 Thread C:\Windows\system32\svchost.exe [656:4572] 000007fefcd01a70 Thread C:\Windows\system32\svchost.exe [656:4576] 000007feeea284d8 Thread C:\Windows\system32\svchost.exe [656:4724] 000007feee9e23a8 Thread C:\Windows\system32\svchost.exe [656:4768] 000007feeea80c20 Thread C:\Windows\system32\svchost.exe [656:4784] 000007feee6094a8 Thread C:\Windows\system32\svchost.exe [656:5624] 000007fef9a1506c Thread C:\Windows\system32\svchost.exe [656:5644] 000007feee1f1c20 Thread C:\Windows\system32\svchost.exe [656:2068] 000007feee1f1c20 Thread C:\Windows\system32\svchost.exe [656:6268] 000007fef6b11ab0 Thread C:\Windows\system32\svchost.exe [656:5196] 000007fef7a54164 Thread C:\Windows\system32\WLANExt.exe [1328:1440] 000000018000b674 Thread C:\Windows\system32\WLANExt.exe [1328:1444] 000000018000b690 Thread C:\Windows\system32\WLANExt.exe [1328:1448] 000000018000b658 Thread C:\Windows\system32\WLANExt.exe [1328:1452] 0000000180022170 Thread C:\Windows\system32\WLANExt.exe [1328:1456] 000007fefa522f9c Thread C:\Windows\System32\spoolsv.exe [2052:4868] 000007feede710c8 Thread C:\Windows\System32\spoolsv.exe [2052:4908] 000007feede36144 Thread C:\Windows\System32\spoolsv.exe [2052:4912] 000007feed9d5fd0 Thread C:\Windows\System32\spoolsv.exe [2052:4916] 000007feed9c3438 Thread C:\Windows\System32\spoolsv.exe [2052:4920] 000007feed9d63ec Thread C:\Windows\System32\spoolsv.exe [2052:4928] 000007feedf15e5c Thread C:\Windows\System32\spoolsv.exe [2052:4944] 000007feee214828 Thread C:\Windows\System32\spoolsv.exe [2052:5168] 000007feee281efc Thread C:\Windows\system32\taskhost.exe [2136:3108] 000007fef2a52740 Thread C:\Windows\system32\taskhost.exe [2136:3116] 000007fef2a41f38 Thread C:\Windows\system32\taskhost.exe [2136:3192] 000007fefb281010 Thread C:\Windows\system32\svchost.exe [2344:680] 000007fef2c73060 Thread C:\Windows\system32\svchost.exe [2344:5304] 000007fef2c75570 Thread C:\Windows\system32\svchost.exe [2344:5452] 000007fef0712888 Thread C:\Windows\system32\svchost.exe [2344:5676] 000007fef0702940 Thread C:\Windows\system32\svchost.exe [2344:5460] 000007fef0712a40 Thread C:\Windows\SysWOW64\ntdll.dll [3924:3928] 000000000043c360 Thread C:\Windows\system32\svchost.exe [5428:5536] 000007fef0658470 Thread C:\Windows\system32\svchost.exe [5428:5540] 000007fef0662418 Thread C:\Windows\system32\svchost.exe [5428:5656] 000007fef062f130 Thread C:\Windows\system32\svchost.exe [5428:6084] 000007fef0624734 Thread C:\Windows\system32\svchost.exe [5428:6276] 000007fef0624734 Thread C:\Windows\System32\svchost.exe [5768:4872] 000007feec2eac4c Thread C:\Windows\System32\svchost.exe [5768:6244] 000007fef0cd9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 25438 ---- EOF - GMER 2.1 ----