GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 12:43:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: gmer.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\awrdrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003da8000 64 bytes [00, 00, 1C, 00, 46, 69, 6C, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff80003da8042 4 bytes [00, 00, 00, 00] .text C:\windows\system32\drivers\USBPORT.SYS!DllUnload fffff880031b2d8c 12 bytes {MOV RAX, 0xfffffa8005c8e2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\lsm.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100191018 .text C:\windows\system32\lsm.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100190018 .text C:\windows\system32\lsm.exe[600] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100192018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100193018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100194018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100195018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\lsm.exe[600] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100481018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100480018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100482018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100485018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100486018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100487018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[704] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[704] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001000d1018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001000d0018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001000d2018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001000d5018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001000d6018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001000d7018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\USER32.dll!SetWindowsHookExW 000000007776f874 5 bytes JMP 00000001000d4018 .text C:\windows\system32\winlogon.exe[772] C:\windows\system32\USER32.dll!SetWindowsHookExA 0000000077788c20 5 bytes JMP 00000001000d3018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\winlogon.exe[772] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100131018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100130018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100132018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100135018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100136018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100137018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\nvvsvc.exe[816] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100461018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100460018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100462018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100465018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100466018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100467018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[856] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[856] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100cd1018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100cd0018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100cd2018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100cd5018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100cd6018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 4 bytes JMP 0000000100cd7018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\System32\svchost.exe[904] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\System32\svchost.exe[904] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100f11018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100f10018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100f12018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100f15018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100f16018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 4 bytes JMP 0000000100f17018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001005c1018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001005c0018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001005c2018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001005c5018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001005c6018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001005c7018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[1008] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[1008] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001012c1018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001012c0018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001012c2018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001012c5018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001012c6018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 4 bytes JMP 00000001012c7018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[128] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[128] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100105018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100106018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100107018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[408] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[408] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000101c71018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000101c70018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000101c72018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000101c75018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000101c76018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000101c77018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[1068] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[1068] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100141018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100140018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100142018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100145018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100146018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100147018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\WLANExt.exe[1192] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100c41018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100c40018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100c42018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100c45018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100c46018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 4 bytes JMP 0000000100c47018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[1336] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[1336] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100691018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100690018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100692018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100695018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100696018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100697018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1580] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001004c1018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001004c0018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001004c2018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001004c5018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001004c6018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001004c7018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\nvvsvc.exe[1588] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010011100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010011000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010011200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010011c00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010011e00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010011f00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 000000010012200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 000000010012100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 000000010012300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010011b00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010011d00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 000000010012500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 000000010012400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [62, 8A] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 000000010012000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010011400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010011300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1728] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001002a1018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001002a0018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001002a2018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001002a5018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001002a6018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001002a7018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1892] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010033100c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010033000c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010033200c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010033c00c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010033e00c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010033f00c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 000000010056200c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 000000010056100c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 000000010056300c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010033b00c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010033d00c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 000000010056500c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 000000010056400c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [A6, 8A] .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 000000010056000c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010033400c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010033300c .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\windows\SysWOW64\Rezip.exe[1620] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\windows\system32\svchost.exe[2052] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001013b1018 .text C:\windows\system32\svchost.exe[2052] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001013b0018 .text C:\windows\system32\svchost.exe[2052] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001013b2018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001013b5018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001013b6018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 4 bytes JMP 00000001013b7018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[2052] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100251018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100250018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100252018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100255018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100256018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100257018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text D:\Gry\Hamachi\hamachi-2.exe[2376] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100161018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100160018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100162018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100165018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100166018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100167018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text D:\Gry\Hamachi\LMIGuardianSvc.exe[2520] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000103291018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000103290018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000103292018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000103295018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000103296018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000103297018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\taskhost.exe[2540] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000102511018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000102510018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000102512018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000102515018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000102516018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000102517018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\Dwm.exe[2684] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000104f31018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000104f30018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000104f32018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000104f35018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000104f36018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000104f37018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\Explorer.EXE[3024] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\Explorer.EXE[3024] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001002a5018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001002a6018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001002a7018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\svchost.exe[3388] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\svchost.exe[3388] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100191018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100190018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100192018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100195018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100196018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100197018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\taskeng.exe[3460] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 00000001005a100c .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 00000001005a000c .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 00000001005a200c .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 00000001005ac00c .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 00000001005ae00c .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3660] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 00000001005af00c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001022f1018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001022f0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001022f2018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001022f5018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001022f6018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001022f7018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3688] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 0000000102c7200c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 0000000102c7100c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 0000000102c7300c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 00000001009cb00c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 00000001009cd00c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 0000000102c7500c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 0000000102c7400c .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [17, 8D] .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[3728] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 0000000102c7000c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001020b1018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001020b0018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001020b2018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001020b5018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001020b6018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001020b7018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000100281018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000100280018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000100282018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100285018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100286018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100287018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3840] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001002e5018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001002e6018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001002e7018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3864] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010028100c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010028000c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010028200c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010028c00c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010028e00c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010028f00c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 00000001003d200c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 00000001003d100c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 00000001003d300c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010028b00c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010028d00c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 00000001003d500c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 00000001003d400c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [8D, 8A] .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 00000001003d000c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010028400c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010028300c .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Windows\System32\TiltWheelMouse.exe[3900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 00000001024c1018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 00000001024c0018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 00000001024c2018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001024c5018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001024c6018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001024c7018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe[4016] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000102b41018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000102b40018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000102b42018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000102b45018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000102b46018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000102b47018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3752] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010025100c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010025000c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010025200c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010025c00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010025e00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010025f00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 00000001003d200c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 00000001003d100c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 00000001003d300c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010025b00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010025d00c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 00000001003d500c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 00000001003d400c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [8D, 8A] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 00000001003d000c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010025400c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010025300c .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[4460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010063100c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010063000c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010063200c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010063c00c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010063e00c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010063f00c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 00000001007e200c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 00000001007e100c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 00000001007e300c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010063b00c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010063d00c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 00000001007e500c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 00000001007e400c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [CE, 8A] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 00000001007e000c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010063400c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010063300c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4488] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 00000001003d100c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 00000001003d000c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 00000001003d200c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 00000001003dc00c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 00000001003de00c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 00000001003df00c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 00000001003e200c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 00000001003e100c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 00000001003e300c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 00000001003db00c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 00000001003dd00c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 00000001003e500c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 00000001003e400c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [8E, 8A] .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 00000001003e000c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 00000001003d400c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 00000001003d300c .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\windows\SysWOW64\RunDll32.exe[4508] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000779d1780 5 bytes JMP 0000000102991018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000779d1cd0 5 bytes JMP 0000000102990018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779d1d80 5 bytes JMP 0000000102992018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000102995018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000102996018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000102997018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4532] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077b7ffec 5 bytes JMP 000000010034100c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077b80814 5 bytes JMP 000000010034000c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b8091c 5 bytes JMP 000000010034200c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\kernel32.dll!OpenMutexA 0000000075a0ec07 5 bytes JMP 000000010034c00c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\kernel32.dll!CopyFileExW 0000000075a13b2a 5 bytes JMP 000000010034e00c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075a68599 5 bytes JMP 000000010034f00c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!GetFileSizeEx 0000000075afce45 5 bytes JMP 000000010036200c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!GetFileSize 0000000075afdfea 5 bytes JMP 000000010036100c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000075afec98 5 bytes JMP 000000010036300c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000075b00efc 5 bytes JMP 000000010034b00c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000075b01371 5 bytes JMP 000000010034d00c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!TerminateThread 0000000075b03986 5 bytes JMP 000000010036500c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075b03e6b 2 bytes JMP 000000010036400c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000075b03e6e 2 bytes [86, 8A] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\KERNELBASE.dll!CreateDirectoryW 0000000075b0923e 5 bytes JMP 000000010036000c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758b7603 5 bytes JMP 000000010034400c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 00000000758b835c 5 bytes JMP 000000010034300c .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4888] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 00000001018f5018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 00000001018f6018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 00000001018f7018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3308] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\kernel32.dll!OpenMutexA 0000000077862ce0 5 bytes JMP 0000000100085018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\kernel32.dll!CopyFileExW 00000000778723d0 5 bytes JMP 0000000100086018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\kernel32.dll!CreateDirectoryExW 00000000778e9150 5 bytes JMP 0000000100087018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!GetFileSize 000007fefda55140 5 bytes JMP 000007ff7f639018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefda58100 5 bytes JMP 000007ff7f638018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefda59420 5 bytes JMP 000007ff7f636018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefda59d80 5 bytes JMP 000007ff7f63c018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!TerminateThread 000007fefda5c450 5 bytes JMP 000007ff7f63d018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!OpenMutexW 000007fefda62af0 5 bytes JMP 000007ff7f637018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefda65470 5 bytes JMP 000007ff7f63a018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda84350 5 bytes JMP 000007ff7f63b018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!ControlService 000007feff62642c 5 bytes JMP 000007ff7f632018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007feff626484 5 bytes JMP 000007ff7f631018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feff626518 5 bytes JMP 000007ff7f633018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007feff626c34 5 bytes JMP 000007ff7f630018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff6275e8 5 bytes JMP 000007ff7f635018 .text C:\windows\system32\DllHost.exe[3040] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff62790c 5 bytes JMP 000007ff7f634018 .text C:\Users\Marcin\Downloads\gmer.exe[1316] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076451465 2 bytes [45, 76] .text C:\Users\Marcin\Downloads\gmer.exe[1316] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764514bb 2 bytes [45, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001046f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001046cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104769c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001047a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010478f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef88e741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef88e5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef88e5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef88e5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef88e7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef88e6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef88e6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef88e7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef88e7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef88e78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef88e4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef88e5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef88e7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80032402c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8005c632c0 Device \Driver\cdrom \Device\CdRom0 fffffa8003b372c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{44836AC6-03F1-40BB-9D4F-8BB7F1371525} fffffa8003b2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{AFA0C306-586E-44A7-B9AD-E4CDA80A8E6D} fffffa8003b2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{AFA0C306-586E-44A7-B9AD-E4CDA80A8E6D} fffffa8003b2b2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8005c632c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8005c632c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1080B888-44A4-4C5A-A5C8-689E9B998C70} fffffa8003b2b2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8003b2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B0E599D8-A3B7-4684-8ABE-EA0ECCD15C2E} fffffa8003b2b2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8005c632c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb112a545 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb112a545@6c0e0d850882 0xEA 0xB6 0x13 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb112a545@d0dfc7f69dbb 0x92 0x69 0x3C 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb112a545@d8753304a7c0 0xB5 0xDD 0xCA 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb112a545@fcc7345cf779 0x87 0xCB 0xFB 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6d8a5f8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6d8dad7 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6d92a65 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 38528 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 22475 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFA 0x47 0xA0 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x5B 0xA3 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x32 0xD5 0x4E 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2E 0xF6 0x7B 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44836AC6-03F1-40BB-9D4F-8BB7F1371525}@LeaseObtainedTime 1409903791 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44836AC6-03F1-40BB-9D4F-8BB7F1371525}@T1 1409946991 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44836AC6-03F1-40BB-9D4F-8BB7F1371525}@T2 1409979391 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{44836AC6-03F1-40BB-9D4F-8BB7F1371525}@LeaseTerminatesTime 1409990191 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb112a545 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb112a545@6c0e0d850882 0xEA 0xB6 0x13 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb112a545@d0dfc7f69dbb 0x92 0x69 0x3C 0xD0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb112a545@d8753304a7c0 0xB5 0xDD 0xCA 0x54 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb112a545@fcc7345cf779 0x87 0xCB 0xFB 0x2C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6d8a5f8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6d8dad7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6d92a65 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFA 0x47 0xA0 0x12 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x5B 0xA3 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x32 0xD5 0x4E 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2E 0xF6 0x7B 0x0D ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----