GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-06 23:28:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: 2yvdue4t.exe; Driver: C:\Users\Patrycja\AppData\Local\Temp\ffayakoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1988] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2740] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960 000000002d5d5984 4 bytes [88, D0, 87, 46] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[7112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007759fa20 5 bytes JMP 000000015ba885f1 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 000000007759fa38 5 bytes JMP 000000015ba88a8a .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007759fa68 5 bytes JMP 000000015ba82741 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007759fa80 5 bytes JMP 000000015ba81ff2 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007759fad0 5 bytes JMP 000000015ba81e6c .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007759fae8 5 bytes JMP 000000015ba81f7a .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007759fb80 5 bytes JMP 000000015ba82aeb .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007759fc78 5 bytes JMP 000000015ba869c2 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007759fd8c 5 bytes JMP 000000015ba81df4 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fda4 5 bytes JMP 000000015ba86fb2 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007759fdd8 5 bytes JMP 000000015ba86037 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007759fe84 5 bytes JMP 000000015ba8866c .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007759fe9c 5 bytes JMP 000000015ba87134 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00f4 5 bytes JMP 000000015ba86dea .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775a0204 5 bytes JMP 000000015ba8206a .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775a0a24 5 bytes JMP 000000015ba86bb7 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775a0a3c 5 bytes JMP 000000015ba7efb7 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775a0a84 5 bytes JMP 000000015ba7f085 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775a0bc0 5 bytes JMP 000000015ba7f01e .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775a0fb0 5 bytes JMP 000000015ba820e2 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775a0fc8 5 bytes JMP 000000015ba82519 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775a1058 5 bytes JMP 000000015ba82849 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775a137c 5 bytes JMP 000000015ba871c4 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775a14bc 5 bytes JMP 000000015ba8249d .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775a1568 5 bytes JMP 000000015ba88a02 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775a1758 5 bytes JMP 000000015ba7f4a2 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775a1a98 5 bytes JMP 000000015ba81ef4 .text C:\Program[2340] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775a1bdc 5 bytes JMP 000000015ba887bf .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!CreateProcessW 00000000766f103d 5 bytes JMP 000000015ba5a3ef .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!CreateProcessA 00000000766f1072 5 bytes JMP 000000015ba5a52d .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000766f8781 5 bytes JMP 00000001521b7562 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!ReplaceFile 0000000076710de4 5 bytes JMP 000000015ba58652 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007671c9b5 5 bytes JMP 000000015ba5a763 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007676ef89 5 bytes JMP 000000015ba58572 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 000000007677058f 5 bytes JMP 000000015ba5b086 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000076770637 5 bytes JMP 000000015ba5b3b9 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!WinExec 0000000076773161 5 bytes JMP 000000015ba5ac28 .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!AllocConsole 000000007679716e 5 bytes JMP 000000015ba89b3d .text C:\Program[2340] C:\windows\syswow64\kernel32.dll!AttachConsole 0000000076797232 5 bytes JMP 000000015ba89b4f .text C:\Program[2340] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076672ab1 5 bytes JMP 000000015ba5b5c4 .text C:\Program[2340] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000768e8a39 5 bytes JMP 000000015ba89b25 .text C:\Program[2340] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000768ed23e 5 bytes JMP 000000015ba89b0d .text C:\Program[2340] C:\windows\syswow64\GDI32.dll!AddFontResourceW 000000007687d46a 5 bytes JMP 000000015ba69604 .text C:\Program[2340] C:\windows\syswow64\GDI32.dll!AddFontResourceA 000000007687d973 5 bytes JMP 000000015ba695e8 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000076411e3a 7 bytes JMP 000000015ba6c2cf .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 000000007641b406 7 bytes JMP 000000015ba6d1f0 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000076437927 7 bytes JMP 000000015ba6c976 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000764379e3 7 bytes JMP 000000015ba6cb27 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007643a40a 7 bytes JMP 000000015ba6d2b6 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764527d2 5 bytes JMP 000000015ba5a8a5 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076471fc4 7 bytes JMP 000000015ba6ca2e .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076472061 7 bytes JMP 000000015ba6cbdf .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076472451 7 bytes JMP 000000015ba6d132 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076472534 7 bytes JMP 000000015ba6c386 .text C:\Program[2340] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076472651 5 bytes JMP 000000015ba6d074 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ControlService 00000000763f4d5c 7 bytes JMP 000000015ba6c114 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000763f4dc3 7 bytes JMP 000000015ba6c43d .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000763f4e4b 7 bytes JMP 000000015ba6c1a0 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000763f4eaf 7 bytes JMP 000000015ba6c233 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000763f4f35 7 bytes JMP 000000015ba6bf8f .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000763f508d 7 bytes JMP 000000015ba6c025 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000763f50f4 7 bytes JMP 000000015ba6cf42 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000763f5181 7 bytes JMP 000000015ba6cfde .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000763f5254 7 bytes JMP 000000015ba6c63e .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763f53d5 7 bytes JMP 000000015ba6c559 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763f54c2 7 bytes JMP 000000015ba6c8e0 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763f55e2 7 bytes JMP 000000015ba6c84a .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000763f567c 7 bytes JMP 000000015ba6bd70 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000763f589f 7 bytes JMP 000000015ba6bc9a .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000763f5a22 7 bytes JMP 000000015ba6c4cb .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000763f5a83 7 bytes JMP 000000015ba6cd71 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000763f5b29 7 bytes JMP 000000015ba6ccd8 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000763f5ca0 7 bytes JMP 000000015ba6b44a .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000763f5d8c 7 bytes JMP 000000015ba6b3d1 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000763f63ad 7 bytes JMP 000000015ba6b998 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000763f64f0 7 bytes JMP 000000015ba6ba24 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000763f6633 2 bytes JMP 000000015ba6cea6 .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A + 3 00000000763f6636 4 bytes [67, E5, CC, CC] .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000763f680c 7 bytes JMP 000000015ba6ce0a .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000763f714b 7 bytes JMP 000000015ba6bb0d .text C:\Program[2340] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000763f7245 7 bytes JMP 000000015ba6bb99 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000075006143 5 bytes JMP 0000000152ebcd0a .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007500c56e 5 bytes JMP 000000015ba72ef7 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007500ea09 7 bytes JMP 000000015ba734c8 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!OleRun 00000000750107de 5 bytes JMP 000000015ba73383 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000750121e1 5 bytes JMP 000000015ba73ffa .text C:\Program[2340] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007501eba1 6 bytes JMP 000000015ba732a2 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!OleInitialize 000000007501efd7 5 bytes JMP 000000015ba73232 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000075022699 5 bytes JMP 000000015ba7306f .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000750354ad 5 bytes JMP 000000015ba74588 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000750409ad 5 bytes JMP 000000015ba730e2 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000750486d3 5 bytes JMP 000000015ba73164 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075049d0b 5 bytes JMP 000000015ba75858 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075049d4e 5 bytes JMP 000000015ba7398f .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007506baf9 7 bytes JMP 000000015ba733f3 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007508eabf 5 bytes JMP 000000015ba72954 .text C:\Program[2340] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000750c352c 5 bytes JMP 000000015ba74a4a .text C:\Program[2340] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007510d0f1 5 bytes JMP 000000015ba7330d .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!SysFreeString 0000000074f53e59 5 bytes JMP 00000001521dc273 .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!VariantClear 0000000074f53eae 5 bytes JMP 00000001521e57f8 .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!SysAllocStringByteLen 0000000074f54731 5 bytes JMP 00000001521e5390 .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!VariantChangeType 0000000074f55dee 5 bytes JMP 00000001521f15ae .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 0000000074f827a6 5 bytes JMP 000000015ba72be7 .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000074f8329c 5 bytes JMP 000000015ba72d08 .text C:\Program[2340] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000074f98f68 5 bytes JMP 000000015ba72d7b .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\Program[2340] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007759fa20 5 bytes JMP 000000015ba885f1 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 000000007759fa38 5 bytes JMP 000000015ba88a8a .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007759fa68 5 bytes JMP 000000015ba82741 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007759fa80 5 bytes JMP 000000015ba81ff2 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007759fad0 5 bytes JMP 000000015ba81e6c .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007759fae8 5 bytes JMP 000000015ba81f7a .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007759fb80 5 bytes JMP 000000015ba82aeb .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007759fc78 5 bytes JMP 000000015ba869c2 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007759fd8c 5 bytes JMP 000000015ba81df4 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fda4 5 bytes JMP 000000015ba86fb2 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007759fdd8 5 bytes JMP 000000015ba86037 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007759fe84 5 bytes JMP 000000015ba8866c .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007759fe9c 5 bytes JMP 000000015ba87134 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00f4 5 bytes JMP 000000015ba86dea .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775a0204 5 bytes JMP 000000015ba8206a .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775a0a24 5 bytes JMP 000000015ba86bb7 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775a0a3c 5 bytes JMP 000000015ba7efb7 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775a0a84 5 bytes JMP 000000015ba7f085 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775a0bc0 5 bytes JMP 000000015ba7f01e .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775a0fb0 5 bytes JMP 000000015ba820e2 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775a0fc8 5 bytes JMP 000000015ba82519 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775a1058 5 bytes JMP 000000015ba82849 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775a137c 5 bytes JMP 000000015ba871c4 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775a14bc 5 bytes JMP 000000015ba8249d .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775a1568 5 bytes JMP 000000015ba88a02 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775a1758 5 bytes JMP 000000015ba7f4a2 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775a1a98 5 bytes JMP 000000015ba81ef4 .text C:\Program[5440] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775a1bdc 5 bytes JMP 000000015ba887bf .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!CreateProcessW 00000000766f103d 5 bytes JMP 000000015ba5a3ef .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!CreateProcessA 00000000766f1072 5 bytes JMP 000000015ba5a52d .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000766f8781 5 bytes JMP 00000001521b7562 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!ReplaceFile 0000000076710de4 5 bytes JMP 000000015ba58652 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007671c9b5 5 bytes JMP 000000015ba5a763 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007676ef89 5 bytes JMP 000000015ba58572 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 000000007677058f 5 bytes JMP 000000015ba5b086 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000076770637 5 bytes JMP 000000015ba5b3b9 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!WinExec 0000000076773161 5 bytes JMP 000000015ba5ac28 .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!AllocConsole 000000007679716e 5 bytes JMP 000000015ba89b3d .text C:\Program[5440] C:\windows\syswow64\kernel32.dll!AttachConsole 0000000076797232 5 bytes JMP 000000015ba89b4f .text C:\Program[5440] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076672ab1 5 bytes JMP 000000015ba5b5c4 .text C:\Program[5440] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000768e8a39 5 bytes JMP 000000015ba89b25 .text C:\Program[5440] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000768ed23e 5 bytes JMP 000000015ba89b0d .text C:\Program[5440] C:\windows\syswow64\GDI32.dll!AddFontResourceW 000000007687d46a 5 bytes JMP 000000015ba69604 .text C:\Program[5440] C:\windows\syswow64\GDI32.dll!AddFontResourceA 000000007687d973 5 bytes JMP 000000015ba695e8 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000076411e3a 7 bytes JMP 000000015ba6c2cf .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 000000007641b406 7 bytes JMP 000000015ba6d1f0 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000076437927 7 bytes JMP 000000015ba6c976 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000764379e3 7 bytes JMP 000000015ba6cb27 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007643a40a 7 bytes JMP 000000015ba6d2b6 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764527d2 5 bytes JMP 000000015ba5a8a5 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076471fc4 7 bytes JMP 000000015ba6ca2e .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076472061 7 bytes JMP 000000015ba6cbdf .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076472451 7 bytes JMP 000000015ba6d132 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076472534 7 bytes JMP 000000015ba6c386 .text C:\Program[5440] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076472651 5 bytes JMP 000000015ba6d074 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ControlService 00000000763f4d5c 7 bytes JMP 000000015ba6c114 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000763f4dc3 7 bytes JMP 000000015ba6c43d .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000763f4e4b 7 bytes JMP 000000015ba6c1a0 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000763f4eaf 7 bytes JMP 000000015ba6c233 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000763f4f35 7 bytes JMP 000000015ba6bf8f .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000763f508d 7 bytes JMP 000000015ba6c025 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000763f50f4 7 bytes JMP 000000015ba6cf42 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000763f5181 7 bytes JMP 000000015ba6cfde .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000763f5254 7 bytes JMP 000000015ba6c63e .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763f53d5 7 bytes JMP 000000015ba6c559 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763f54c2 7 bytes JMP 000000015ba6c8e0 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763f55e2 7 bytes JMP 000000015ba6c84a .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000763f567c 7 bytes JMP 000000015ba6bd70 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000763f589f 7 bytes JMP 000000015ba6bc9a .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000763f5a22 7 bytes JMP 000000015ba6c4cb .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000763f5a83 7 bytes JMP 000000015ba6cd71 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000763f5b29 7 bytes JMP 000000015ba6ccd8 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000763f5ca0 7 bytes JMP 000000015ba6b44a .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000763f5d8c 7 bytes JMP 000000015ba6b3d1 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000763f63ad 7 bytes JMP 000000015ba6b998 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000763f64f0 7 bytes JMP 000000015ba6ba24 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000763f6633 2 bytes JMP 000000015ba6cea6 .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A + 3 00000000763f6636 4 bytes [67, E5, CC, CC] .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000763f680c 7 bytes JMP 000000015ba6ce0a .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000763f714b 7 bytes JMP 000000015ba6bb0d .text C:\Program[5440] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000763f7245 7 bytes JMP 000000015ba6bb99 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000075006143 5 bytes JMP 0000000152ebcd0a .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007500c56e 5 bytes JMP 000000015ba72ef7 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007500ea09 7 bytes JMP 000000015ba734c8 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!OleRun 00000000750107de 5 bytes JMP 000000015ba73383 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000750121e1 5 bytes JMP 000000015ba73ffa .text C:\Program[5440] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007501eba1 6 bytes JMP 000000015ba732a2 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!OleInitialize 000000007501efd7 5 bytes JMP 000000015ba73232 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000075022699 5 bytes JMP 000000015ba7306f .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000750354ad 5 bytes JMP 000000015ba74588 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000750409ad 5 bytes JMP 000000015ba730e2 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000750486d3 5 bytes JMP 000000015ba73164 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075049d0b 5 bytes JMP 000000015ba75858 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075049d4e 5 bytes JMP 000000015ba7398f .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007506baf9 7 bytes JMP 000000015ba733f3 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007508eabf 5 bytes JMP 000000015ba72954 .text C:\Program[5440] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000750c352c 5 bytes JMP 000000015ba74a4a .text C:\Program[5440] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007510d0f1 5 bytes JMP 000000015ba7330d .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!SysFreeString 0000000074f53e59 5 bytes JMP 00000001521dc273 .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!VariantClear 0000000074f53eae 5 bytes JMP 00000001521e57f8 .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!SysAllocStringByteLen 0000000074f54731 5 bytes JMP 00000001521e5390 .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!VariantChangeType 0000000074f55dee 5 bytes JMP 00000001521f15ae .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 0000000074f827a6 5 bytes JMP 000000015ba72be7 .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000074f8329c 5 bytes JMP 000000015ba72d08 .text C:\Program[5440] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000074f98f68 5 bytes JMP 000000015ba72d7b .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007759fa20 5 bytes JMP 000000015ba885f1 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 000000007759fa38 5 bytes JMP 000000015ba88a8a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007759fa68 5 bytes JMP 000000015ba82741 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007759fa80 5 bytes JMP 000000015ba81ff2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007759fad0 5 bytes JMP 000000015ba81e6c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007759fae8 5 bytes JMP 000000015ba81f7a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007759fb80 5 bytes JMP 000000015ba82aeb .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007759fc78 5 bytes JMP 000000015ba869c2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007759fd8c 5 bytes JMP 000000015ba81df4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fda4 5 bytes JMP 000000015ba86fb2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007759fdd8 5 bytes JMP 000000015ba86037 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007759fe84 5 bytes JMP 000000015ba8866c .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007759fe9c 5 bytes JMP 000000015ba87134 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00f4 5 bytes JMP 000000015ba86dea .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775a0204 5 bytes JMP 000000015ba8206a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775a0a24 5 bytes JMP 000000015ba86bb7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775a0a3c 5 bytes JMP 000000015ba7efb7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775a0a84 5 bytes JMP 000000015ba7f085 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775a0bc0 5 bytes JMP 000000015ba7f01e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775a0fb0 5 bytes JMP 000000015ba820e2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775a0fc8 5 bytes JMP 000000015ba82519 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775a1058 5 bytes JMP 000000015ba82849 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775a137c 5 bytes JMP 000000015ba871c4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775a14bc 5 bytes JMP 000000015ba8249d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775a1568 5 bytes JMP 000000015ba88a02 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775a1758 5 bytes JMP 000000015ba7f4a2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775a1a98 5 bytes JMP 000000015ba81ef4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775a1bdc 5 bytes JMP 000000015ba887bf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!CreateProcessW 00000000766f103d 5 bytes JMP 000000015ba5a3ef .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!CreateProcessA 00000000766f1072 5 bytes JMP 000000015ba5a52d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!ReplaceFile 0000000076710de4 5 bytes JMP 000000015ba58652 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007671c9b5 5 bytes JMP 000000015ba5a763 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007676ef89 5 bytes JMP 000000015ba58572 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 000000007677058f 5 bytes JMP 000000015ba5b086 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000076770637 5 bytes JMP 000000015ba5b3b9 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!WinExec 0000000076773161 5 bytes JMP 000000015ba5ac28 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!AllocConsole 000000007679716e 5 bytes JMP 000000015ba89b3d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\kernel32.dll!AttachConsole 0000000076797232 5 bytes JMP 000000015ba89b4f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076672ab1 5 bytes JMP 000000015ba5b5c4 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000768e8a39 5 bytes JMP 000000015ba89b25 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000768ed23e 5 bytes JMP 000000015ba89b0d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\GDI32.dll!AddFontResourceW 000000007687d46a 5 bytes JMP 000000015ba69604 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\GDI32.dll!AddFontResourceA 000000007687d973 5 bytes JMP 000000015ba695e8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000076411e3a 7 bytes JMP 000000015ba6c2cf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 000000007641b406 7 bytes JMP 000000015ba6d1f0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000076437927 7 bytes JMP 000000015ba6c976 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000764379e3 7 bytes JMP 000000015ba6cb27 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007643a40a 7 bytes JMP 000000015ba6d2b6 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764527d2 5 bytes JMP 000000015ba5a8a5 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076471fc4 7 bytes JMP 000000015ba6ca2e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076472061 7 bytes JMP 000000015ba6cbdf .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076472451 7 bytes JMP 000000015ba6d132 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076472534 7 bytes JMP 000000015ba6c386 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076472651 5 bytes JMP 000000015ba6d074 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ControlService 00000000763f4d5c 7 bytes JMP 000000015ba6c114 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000763f4dc3 7 bytes JMP 000000015ba6c43d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000763f4e4b 7 bytes JMP 000000015ba6c1a0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000763f4eaf 7 bytes JMP 000000015ba6c233 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000763f4f35 7 bytes JMP 000000015ba6bf8f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000763f508d 7 bytes JMP 000000015ba6c025 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000763f50f4 7 bytes JMP 000000015ba6cf42 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000763f5181 7 bytes JMP 000000015ba6cfde .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000763f5254 7 bytes JMP 000000015ba6c63e .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763f53d5 7 bytes JMP 000000015ba6c559 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763f54c2 7 bytes JMP 000000015ba6c8e0 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763f55e2 7 bytes JMP 000000015ba6c84a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000763f567c 7 bytes JMP 000000015ba6bd70 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000763f589f 7 bytes JMP 000000015ba6bc9a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000763f5a22 7 bytes JMP 000000015ba6c4cb .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000763f5a83 7 bytes JMP 000000015ba6cd71 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000763f5b29 7 bytes JMP 000000015ba6ccd8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000763f5ca0 7 bytes JMP 000000015ba6b44a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000763f5d8c 7 bytes JMP 000000015ba6b3d1 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000763f63ad 7 bytes JMP 000000015ba6b998 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000763f64f0 7 bytes JMP 000000015ba6ba24 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000763f6633 2 bytes JMP 000000015ba6cea6 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A + 3 00000000763f6636 4 bytes [67, E5, CC, CC] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000763f680c 7 bytes JMP 000000015ba6ce0a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000763f714b 7 bytes JMP 000000015ba6bb0d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000763f7245 7 bytes JMP 000000015ba6bb99 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007500c56e 5 bytes JMP 000000015ba72ef7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007500ea09 7 bytes JMP 000000015ba734c8 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!OleRun 00000000750107de 5 bytes JMP 000000015ba73383 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000750121e1 5 bytes JMP 000000015ba73ffa .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007501eba1 6 bytes JMP 000000015ba732a2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!OleInitialize 000000007501efd7 5 bytes JMP 000000015ba73232 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000075022699 5 bytes JMP 000000015ba7306f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000750354ad 5 bytes JMP 000000015ba74588 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000750409ad 5 bytes JMP 000000015ba730e2 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000750486d3 5 bytes JMP 000000015ba73164 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075049d0b 5 bytes JMP 000000015ba75858 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075049d4e 5 bytes JMP 000000015ba7398f .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007506baf9 7 bytes JMP 000000015ba733f3 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007508eabf 5 bytes JMP 000000015ba72954 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000750c352c 5 bytes JMP 000000015ba74a4a .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007510d0f1 5 bytes JMP 000000015ba7330d .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 0000000074f827a6 5 bytes JMP 000000015ba72be7 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000074f8329c 5 bytes JMP 000000015ba72d08 .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[5400] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000074f98f68 5 bytes JMP 000000015ba72d7b .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtClose 00000000773edaa0 8 bytes JMP 000000016fff02b8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773edab0 8 bytes JMP 000000016fff0838 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtOpenKey 00000000773edad0 8 bytes JMP 000000016fff0158 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000773edae0 8 bytes JMP 000000016fff04c8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryKey 00000000773edb10 8 bytes JMP 000000016fff03c0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryValueKey 00000000773edb20 8 bytes JMP 000000016fff0470 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey 00000000773edb80 1 byte JMP 000000016fff0310 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtCreateKey + 2 00000000773edb82 6 bytes {JMP 0xfffffffff8c02790} .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000773edc20 8 bytes JMP 000000016fff0aa0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000773edcd0 8 bytes JMP 000000016fff0368 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000773edce0 8 bytes JMP 000000016fff0890 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 00000000773edd00 8 bytes JMP 000000016fff0a48 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773edd70 8 bytes JMP 000000016fff07e0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000773edd80 8 bytes JMP 000000016fff0998 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000773edf00 8 bytes JMP 000000016fff08e8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000773edfb0 8 bytes JMP 000000016fff0520 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 00000000773ee500 8 bytes JMP 000000016fff0940 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtDeleteKey 00000000773ee510 8 bytes JMP 000000016fff0208 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00000000773ee540 8 bytes JMP 000000016fff0578 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtFlushKey 00000000773ee610 8 bytes JMP 000000016fff0260 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773ee890 8 bytes JMP 000000016fff0680 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ee8a0 8 bytes JMP 000000016fff06d8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 00000000773ee900 8 bytes JMP 000000016fff01b0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000773eeb10 8 bytes JMP 000000016fff09f0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000773eebe0 8 bytes JMP 000000016fff0628 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject 00000000773eec50 8 bytes JMP 000000016fff0730 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtRenameKey 00000000773eed90 8 bytes JMP 000000016fff05d0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationKey 00000000773eefa0 8 bytes JMP 000000016fff0418 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\ntdll.dll!NtSetSecurityObject 00000000773ef070 8 bytes JMP 000000016fff0788 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!CreateProcessAsUserW 0000000077189940 12 bytes JMP 000000016fff0e10 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!CreateProcessW 00000000771a0670 12 bytes JMP 000000016fff0d08 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!SetDllDirectoryW 00000000771cdba0 6 bytes JMP 000000016fff0e68 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!SetDllDirectoryA 00000000771e3450 6 bytes JMP 000000016fff0ec0 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!AttachConsole 00000000772059c0 9 bytes JMP 000000016fff0c00 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!AllocConsole 0000000077205ab0 1 byte JMP 000000016fff0ba8 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!AllocConsole + 2 0000000077205ab2 7 bytes {JMP 0xfffffffff8deb0f8} .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!ReplaceFile 00000000772141e0 5 bytes JMP 000000016fff0cb0 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!ReplaceFileA 0000000077214f60 7 bytes JMP 000000016fff0c58 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!CreateProcessA 000000007721ad40 7 bytes JMP 000000016fff0d60 .text C:\windows\splwow64.exe[332] C:\windows\system32\kernel32.dll!WinExec 000000007721b280 7 bytes JMP 000000016fff0db8 .text C:\windows\splwow64.exe[332] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd47aec0 6 bytes JMP 000007fefdf414f0 .text C:\windows\splwow64.exe[332] C:\windows\system32\GDI32.dll!AddFontResourceW 000007fefdc44804 2 bytes JMP 000007fefdf40838 .text C:\windows\splwow64.exe[332] C:\windows\system32\GDI32.dll!AddFontResourceW + 3 000007fefdc44807 2 bytes [2F, 00] .text C:\windows\splwow64.exe[332] C:\windows\system32\GDI32.dll!AddFontResourceA 000007fefdc592c4 5 bytes JMP 000007fefdf407e0 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumDependentServicesW 000007fefe511460 5 bytes JMP 000007fffdf40e68 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumServicesStatusExW 000007fefe51ea90 7 bytes JMP 000007fffdf40fc8 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!GetServiceDisplayNameW 000007fefe535690 7 bytes JMP 000007fffdf41128 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!GetServiceKeyNameW 000007fefe535760 7 bytes JMP 000007fffdf41078 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefe55a9d0 7 bytes JMP 000007fffdf41498 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumDependentServicesA 000007fefe55d370 5 bytes JMP 000007fffdf40ec0 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumServicesStatusExA 000007fefe55d4e0 7 bytes JMP 000007fffdf41020 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumServicesStatusA 000007fefe55d6e0 1 byte JMP 000007fffdf40f70 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumServicesStatusA + 2 000007fefe55d6e2 5 bytes {JMP 0xffffffffff9e3890} .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!EnumServicesStatusW 000007fefe55dae0 7 bytes JMP 000007fffdf40f18 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!GetServiceDisplayNameA 000007fefe55de40 9 bytes JMP 000007fffdf41180 .text C:\windows\splwow64.exe[332] C:\windows\system32\ADVAPI32.dll!GetServiceKeyNameA 000007fefe55ded0 9 bytes JMP 000007fffdf410d0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ControlService 000007fefe5f642c 9 bytes JMP 000007fffdf40af8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5f6484 7 bytes JMP 000007fffdf40940 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5f6518 7 bytes JMP 000007fffdf409f0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!OpenSCManagerW 000007fefe5f659c 7 bytes JMP 000007fffdf40890 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceStatus 000007fefe5f6730 7 bytes JMP 000007fffdf413e8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceStatusEx 000007fefe5f6784 6 bytes JMP 000007fffdf41440 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!StartServiceW 000007fefe5f6824 9 bytes JMP 000007fffdf40a48 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!OpenSCManagerA 000007fefe5f6aa4 7 bytes JMP 000007fffdf408e8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5f6c34 7 bytes JMP 000007fffdf40998 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!StartServiceA 000007fefe5f6d00 9 bytes JMP 000007fffdf40aa0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceObjectSecurity 000007fefe5f6d58 5 bytes JMP 000007fffdf41338 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 1 byte JMP 000007fffdf41390 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity + 2 000007fefe5f6e02 5 bytes {JMP 0xffffffffff94a590} .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 7 bytes JMP 000007fffdf40d60 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 7 bytes JMP 000007fffdf40d08 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 7 bytes JMP 000007fffdf40e10 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 7 bytes JMP 000007fffdf40db8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 7 bytes JMP 000007fffdf40c58 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 7 bytes JMP 000007fffdf40c00 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 7 bytes JMP 000007fffdf40cb0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceConfigA 000007fefe5f7b04 5 bytes JMP 000007fffdf41230 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceConfigW 000007fefe5f7c34 5 bytes JMP 000007fffdf411d8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceConfig2A 000007fefe5f7d78 7 bytes JMP 000007fffdf412e0 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!QueryServiceConfig2W 000007fefe5f8244 7 bytes JMP 000007fffdf41288 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ControlServiceExA 000007fefe5f8b00 7 bytes JMP 000007fffdf40ba8 .text C:\windows\splwow64.exe[332] C:\windows\SYSTEM32\sechost.dll!ControlServiceExW 000007fefe5f8c38 7 bytes JMP 000007fffdf40b50 .text C:\windows\splwow64.exe[332] C:\windows\system32\oleaut32.dll!RevokeActiveObject 000007fefe6366c0 5 bytes JMP 000007fffdf40418 .text C:\windows\splwow64.exe[332] C:\windows\system32\oleaut32.dll!GetActiveObject 000007fefe64c200 5 bytes JMP 000007fffdf40470 .text C:\windows\splwow64.exe[332] C:\windows\system32\oleaut32.dll!RegisterActiveObject 000007fefe64c280 7 bytes JMP 000007fffdf403c0 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007759fa20 5 bytes JMP 000000015ba885f1 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryObject 000000007759fa38 5 bytes JMP 000000015ba88a8a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007759fa68 5 bytes JMP 000000015ba82741 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007759fa80 5 bytes JMP 000000015ba81ff2 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007759fad0 5 bytes JMP 000000015ba81e6c .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007759fae8 5 bytes JMP 000000015ba81f7a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007759fb80 5 bytes JMP 000000015ba82aeb .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007759fc78 5 bytes JMP 000000015ba869c2 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007759fd8c 5 bytes JMP 000000015ba81df4 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007759fda4 5 bytes JMP 000000015ba86fb2 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007759fdd8 5 bytes JMP 000000015ba86037 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007759fe84 5 bytes JMP 000000015ba8866c .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007759fe9c 5 bytes JMP 000000015ba87134 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000775a00f4 5 bytes JMP 000000015ba86dea .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000775a0204 5 bytes JMP 000000015ba8206a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000775a0a24 5 bytes JMP 000000015ba86bb7 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000775a0a3c 5 bytes JMP 000000015ba7efb7 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000775a0a84 5 bytes JMP 000000015ba7f085 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 00000000775a0bc0 5 bytes JMP 000000015ba7f01e .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000775a0fb0 5 bytes JMP 000000015ba820e2 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775a0fc8 5 bytes JMP 000000015ba82519 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000775a1058 5 bytes JMP 000000015ba82849 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000775a137c 5 bytes JMP 000000015ba871c4 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000775a14bc 5 bytes JMP 000000015ba8249d .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000775a1568 5 bytes JMP 000000015ba88a02 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 00000000775a1758 5 bytes JMP 000000015ba7f4a2 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000775a1a98 5 bytes JMP 000000015ba81ef4 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000775a1bdc 5 bytes JMP 000000015ba887bf .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!CreateProcessW 00000000766f103d 5 bytes JMP 000000015ba5a3ef .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!CreateProcessA 00000000766f1072 5 bytes JMP 000000015ba5a52d .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!ReplaceFile 0000000076710de4 5 bytes JMP 000000015ba58652 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007671c9b5 5 bytes JMP 000000015ba5a763 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!ReplaceFileA 000000007676ef89 5 bytes JMP 000000015ba58572 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!SetDllDirectoryW 000000007677058f 5 bytes JMP 000000015ba5b086 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!SetDllDirectoryA 0000000076770637 5 bytes JMP 000000015ba5b3b9 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!WinExec 0000000076773161 5 bytes JMP 000000015ba5ac28 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!AllocConsole 000000007679716e 5 bytes JMP 000000015ba89b3d .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\kernel32.dll!AttachConsole 0000000076797232 5 bytes JMP 000000015ba89b4f .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076672ab1 5 bytes JMP 000000015ba5b5c4 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000768e8a39 5 bytes JMP 000000015ba89b25 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\USER32.dll!CreateWindowExA 00000000768ed23e 5 bytes JMP 000000015ba89b0d .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\GDI32.dll!AddFontResourceW 000000007687d46a 5 bytes JMP 000000015ba69604 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\GDI32.dll!AddFontResourceA 000000007687d973 5 bytes JMP 000000015ba695e8 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000076411e3a 7 bytes JMP 000000015ba6c2cf .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 000000007641b406 7 bytes JMP 000000015ba6d1f0 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 0000000076437927 7 bytes JMP 000000015ba6c976 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000764379e3 7 bytes JMP 000000015ba6cb27 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007643a40a 7 bytes JMP 000000015ba6d2b6 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764527d2 5 bytes JMP 000000015ba5a8a5 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 0000000076471fc4 7 bytes JMP 000000015ba6ca2e .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 0000000076472061 7 bytes JMP 000000015ba6cbdf .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 0000000076472451 7 bytes JMP 000000015ba6d132 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 0000000076472534 7 bytes JMP 000000015ba6c386 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 0000000076472651 5 bytes JMP 000000015ba6d074 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ControlService 00000000763f4d5c 7 bytes JMP 000000015ba6c114 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000763f4dc3 7 bytes JMP 000000015ba6c43d .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000763f4e4b 7 bytes JMP 000000015ba6c1a0 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000763f4eaf 7 bytes JMP 000000015ba6c233 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!StartServiceW 00000000763f4f35 7 bytes JMP 000000015ba6bf8f .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!StartServiceA 00000000763f508d 7 bytes JMP 000000015ba6c025 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000763f50f4 7 bytes JMP 000000015ba6cf42 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000763f5181 7 bytes JMP 000000015ba6cfde .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000763f5254 7 bytes JMP 000000015ba6c63e .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763f53d5 7 bytes JMP 000000015ba6c559 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763f54c2 7 bytes JMP 000000015ba6c8e0 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763f55e2 7 bytes JMP 000000015ba6c84a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000763f567c 7 bytes JMP 000000015ba6bd70 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000763f589f 7 bytes JMP 000000015ba6bc9a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000763f5a22 7 bytes JMP 000000015ba6c4cb .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000763f5a83 7 bytes JMP 000000015ba6cd71 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000763f5b29 7 bytes JMP 000000015ba6ccd8 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ControlServiceExA 00000000763f5ca0 7 bytes JMP 000000015ba6b44a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!ControlServiceExW 00000000763f5d8c 7 bytes JMP 000000015ba6b3d1 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000763f63ad 7 bytes JMP 000000015ba6b998 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000763f64f0 7 bytes JMP 000000015ba6ba24 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000763f6633 2 bytes JMP 000000015ba6cea6 .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2A + 3 00000000763f6636 4 bytes [67, E5, CC, CC] .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000763f680c 7 bytes JMP 000000015ba6ce0a .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!OpenServiceW 00000000763f714b 7 bytes JMP 000000015ba6bb0d .text C:\windows\splwow64.exe[2804] C:\windows\SysWOW64\sechost.dll!OpenServiceA 00000000763f7245 7 bytes JMP 000000015ba6bb99 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoRegisterPSClsid 000000007500c56e 5 bytes JMP 000000015ba72ef7 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007500ea09 7 bytes JMP 000000015ba734c8 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!OleRun 00000000750107de 5 bytes JMP 000000015ba73383 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000750121e1 5 bytes JMP 000000015ba73ffa .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007501eba1 6 bytes JMP 000000015ba732a2 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!OleInitialize 000000007501efd7 5 bytes JMP 000000015ba73232 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoGetPSClsid 0000000075022699 5 bytes JMP 000000015ba7306f .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000750354ad 5 bytes JMP 000000015ba74588 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000750409ad 5 bytes JMP 000000015ba730e2 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000750486d3 5 bytes JMP 000000015ba73164 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075049d0b 5 bytes JMP 000000015ba75858 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075049d4e 5 bytes JMP 000000015ba7398f .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007506baf9 7 bytes JMP 000000015ba733f3 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007508eabf 5 bytes JMP 000000015ba72954 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 00000000750c352c 5 bytes JMP 000000015ba74a4a .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007510d0f1 5 bytes JMP 000000015ba7330d .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000074f827a6 5 bytes JMP 000000015ba72be7 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000074f8329c 5 bytes JMP 000000015ba72d08 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000074f98f68 5 bytes JMP 000000015ba72d7b .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f01401 2 bytes JMP 7671b21b C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f01419 2 bytes JMP 7671b346 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f01431 2 bytes JMP 76798fd1 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f0144a 2 bytes CALL 766f489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f014dd 2 bytes JMP 767988c4 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f014f5 2 bytes JMP 76798aa0 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f0150d 2 bytes JMP 767987ba C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f01525 2 bytes JMP 76798b8a C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f0153d 2 bytes JMP 7670fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f01555 2 bytes JMP 767168ef C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f0156d 2 bytes JMP 76799089 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f01585 2 bytes JMP 76798bea C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f0159d 2 bytes JMP 7679877e C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f015b5 2 bytes JMP 7670fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f015cd 2 bytes JMP 7671b2dc C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f016b2 2 bytes JMP 76798f4c C:\windows\syswow64\kernel32.dll .text C:\windows\splwow64.exe[2804] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f016bd 2 bytes JMP 76798713 C:\windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\Users\Patrycja\AppData\Local\HipRehem\LodestarsUnfastened.dll (*** suspicious ***) @ C:\windows\SysWOW64\rundll32.exe [3984](2015- 0000000010000000 Library Q:\140066.plk\Office14\WINWORDC.EXE (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 000000002ff60000 Library Q:\140066.plk\Office14\wwlibc.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 00000000546d0000 Library Q:\140066.plk\Office14\gfx.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 000000005b610000 Library Q:\140066.plk\Office14\oart.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000053350000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 00000000521b0000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000059260000 Library Q:\140066.plk\Office14\1045\WWINTLC.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000057070000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\1045\MSOINTL.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000056d40000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSPTLS.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000060930000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000056bf0000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSORES.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000003390000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\OPHPROXY.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 0000000073f90000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\USP10.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 000000005ca50000 Library Q:\140066.plk\Office14\msproof7.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 000000006a210000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [2340] 00000000689b0000 Library Q:\140066.plk\Office14\WINWORDC.EXE (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 000000002ff60000 Library Q:\140066.plk\Office14\wwlibc.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 00000000546d0000 Library Q:\140066.plk\Office14\gfx.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 000000005b610000 Library Q:\140066.plk\Office14\oart.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000053350000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 00000000521b0000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000059260000 Library Q:\140066.plk\Office14\1045\WWINTLC.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000057070000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSPTLS.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000060930000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000056bf0000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSORES.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000003960000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\1045\MSOINTL.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000056d40000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\OPHPROXY.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000073f90000 Library Q:\140066.plk\Office14\MSOHEV.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000073f70000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\USP10.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 000000005ca50000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\VBA\VBA7\VBE7.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000051f10000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\VBA\VBA7\1033\VBE7INTL.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5440] 0000000065300000 Library Q:\140066.plk\Office14\OffSpon.EXE (*** suspicious ***) @ Q:\140066.plk\Office14\OffSpon.EXE [2804] 000000002dfb0000 Library Q:\140066.plk\Office14\msadctls.dll (*** suspicious ***) @ Q:\140066.plk\Office14\OffSpon.EXE [2804] 0000000051c00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e8039ac40160 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e81132e4b5de Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e81132ed2537 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD0 0x5F 0xE8 0xED ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e8039ac40160 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e81132e4b5de (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e81132ed2537 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD0 0x5F 0xE8 0xED ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----