GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-12 21:59:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: slh707zl.exe; Driver: C:\Users\MICHA^~1\AppData\Local\Temp\afrdrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039ee000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff800039ee011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004e28d8c 12 bytes {MOV RAX, 0xfffffa8006ebb2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\services.exe[816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Wacom\WTabletServicePro.exe[1264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\FBAgent.exe[1428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1452] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1508] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\SYSTEM32\WISPTIS.EXE[1644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[2228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\SYSTEM32\WISPTIS.EXE[2300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\SysWOW64\srvany.exe[2844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\KMService.exe[2868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe[2884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe[2884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Program Files\Autodesk\3ds Max 2012\mentalimages\satellite\raysat_3dsmax2012_64server.exe[2884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074d31a22 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074d31ad0 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074d31b08 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074d31bba 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2940] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074d31bda 2 bytes [D3, 74] .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe[1656] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[2376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe[2600] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtWlan.exe[3156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001004a075c .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004a03a4 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001004a0b14 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001004a0ecc .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001004a163c .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001004a1284 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004a19f4 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\igfxtray.exe[3568] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010043075c .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004303a4 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100430b14 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100430ecc .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010043163c .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100431284 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004319f4 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\hkcmd.exe[3576] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010033075c .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003303a4 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100330b14 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100330ecc .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010033163c .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100331284 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003319f4 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\igfxpers.exe[3584] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010023075c .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001002303a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100230b14 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100230ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010023163c .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100231284 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001002319f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Elantech\ETDCtrl.exe[3724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001003c01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001003c03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 00000001003c0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 00000001003c0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 00000001003c0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[3736] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010041075c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004103a4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100410b14 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100410ecc .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010041163c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100411284 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004119f4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3760] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001004b075c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004b03a4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001004b0b14 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001004b0ecc .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001004b163c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001004b1284 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004b19f4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[3808] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010042075c .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004203a4 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100420b14 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100420ecc .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010042163c .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100421284 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004219f4 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\WTMKM.exe[3840] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100260a08 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002401f8 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002403fc .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100240804 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100240600 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100240a08 .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Windows\AsScrPro.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001004b075c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001004b03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001004b0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001004b0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001004b163c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001004b1284 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001004b19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2140] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3188] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4304] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4360] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010036075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003603a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100360b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100360ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010036163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100361284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003619f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4384] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001003c01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001003c03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 00000001003c0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 00000001003c0600 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 00000001003c0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4440] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4452] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\PLAY ONLINE\UIExec.exe[4464] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100110600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4564] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001003e075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001003e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001003e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001003e163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001003e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003e19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4952] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\atwtusb.exe[5004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5020] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010030075c .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003003a4 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100300b14 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100300ecc .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010030163c .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100301284 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003019f4 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\atwtusb.exe[4224] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010016075c .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010016163c .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100161284 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001001619f4 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\SearchIndexer.exe[3172] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\svchost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\svchost.exe[5148] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\servicing\TrustedInstaller.exe[5540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010031075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003103a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100310b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100310ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010031163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100311284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003119f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5876] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010018075c .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001001803a4 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100180b14 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100180ecc .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010018163c .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100181284 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001001819f4 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe[5816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001003f075c .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003f03a4 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001003f0b14 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001003f0ecc .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001003f163c .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001003f1284 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003f19f4 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[5408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001001001f8 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001001003fc .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100100804 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100100600 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100100a08 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100111014 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100110804 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001001101f8 .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001001103fc .text C:\Program Files\Tablet\Wacom\WacomHost.exe[4044] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100110600 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001001801f8 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001001803fc .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100180804 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100180600 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100180a08 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100191014 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100190804 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100190a08 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100190c0c .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100190e10 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001001901f8 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001001903fc .text C:\Program Files\Tablet\Pen\WacomHost.exe[2804] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100190600 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010023075c .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001002303a4 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100230b14 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100230ecc .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010023163c .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100231284 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001002319f4 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[2744] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010013075c .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001001303a4 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100130b14 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100130ecc .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010013163c .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100131284 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001001319f4 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe[5416] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001001e075c .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001001e163c .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001001e1284 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001001e19f4 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[5708] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 00000001003f075c .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001003f03a4 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 00000001003f0b14 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 00000001003f0ecc .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 00000001003f163c .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 00000001003f1284 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001003f19f4 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe[1404] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001000901f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001000903fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100090804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100090600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100090a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 00000001000a1014 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 00000001000a0804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 00000001000a0a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 00000001000a0c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 00000001000a0e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001000a01f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001000a03fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 00000001000a0600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5680] entry point in ".rdata" section 0000000073e871e6 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d4f9b1 7 bytes {MOV EDX, 0xfc9e28; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000101090600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000101090804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d4fbf5 7 bytes {MOV EDX, 0xfc9e68; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d4fc25 7 bytes {MOV EDX, 0xfc9da8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d4fc3d 7 bytes {MOV EDX, 0xfc9d28; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d4fc55 7 bytes {MOV EDX, 0xfc9f28; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d4fc85 7 bytes {MOV EDX, 0xfc9f68; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000101090c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d4fd05 7 bytes {MOV EDX, 0xfc9ee8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d4fd1d 7 bytes {MOV EDX, 0xfc9ea8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d4fd69 7 bytes {MOV EDX, 0xfc9c68; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d4fe61 7 bytes {MOV EDX, 0xfc9ca8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000101090a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d500b9 7 bytes {MOV EDX, 0xfc9c28; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d510c5 7 bytes {MOV EDX, 0xfc9de8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d5113d 7 bytes {MOV EDX, 0xfc9d68; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d51341 7 bytes {MOV EDX, 0xfc9ce8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000101090e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001010901f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001010903fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001011a01f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001011a03fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 00000001011a0804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 00000001011a0600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 00000001011a0a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 00000001011b1014 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 00000001011b0804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 00000001011b0a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 00000001011b0c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 00000001011b0e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001011b01f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001011b03fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 00000001011b0600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d4f9b1 7 bytes {MOV EDX, 0x692628; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 00000001008e0600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 00000001008e0804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d4fbf5 7 bytes {MOV EDX, 0x692668; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d4fc25 7 bytes {MOV EDX, 0x6925a8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d4fc3d 7 bytes {MOV EDX, 0x692528; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d4fc55 7 bytes {MOV EDX, 0x692728; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d4fc85 7 bytes {MOV EDX, 0x692768; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 00000001008e0c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d4fd05 7 bytes {MOV EDX, 0x6926e8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d4fd1d 7 bytes {MOV EDX, 0x6926a8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d4fd69 7 bytes {MOV EDX, 0x692468; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d4fe61 7 bytes {MOV EDX, 0x6924a8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 00000001008e0a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d500b9 7 bytes {MOV EDX, 0x692428; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d510c5 7 bytes {MOV EDX, 0x6925e8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d5113d 7 bytes {MOV EDX, 0x692568; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d51341 7 bytes {MOV EDX, 0x6924e8; JMP RDX} .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 00000001008e0e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001008e01f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001008e03fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001008f01f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001008f03fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 00000001008f0804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 00000001008f0600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 00000001008f0a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100901014 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100900804 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100900a08 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100900c0c .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100900e10 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001009001f8 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001009003fc .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100900600 .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764e1465 2 bytes [4E, 76] .text C:\Users\Michaœ ^^\AppData\Local\Google\Chrome\Application\chrome.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764e14bb 2 bytes [4E, 76] .text ... * 2 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b73b10 5 bytes JMP 000000010017075c .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b77ac0 5 bytes JMP 00000001001703a4 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077ba1430 5 bytes JMP 0000000100170b14 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077ba1490 5 bytes JMP 0000000100170ecc .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ba1570 5 bytes JMP 000000010017163c .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077ba17b0 5 bytes JMP 0000000100171284 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ba27e0 5 bytes JMP 00000001001719f4 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077a8eecd 1 byte [62] .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe456e00 5 bytes JMP 000007ff7e471dac .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe456f2c 5 bytes JMP 000007ff7e470ecc .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe457220 5 bytes JMP 000007ff7e471284 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe45739c 5 bytes JMP 000007ff7e47163c .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe457538 5 bytes JMP 000007ff7e4719f4 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4575e8 5 bytes JMP 000007ff7e4703a4 .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe45790c 5 bytes JMP 000007ff7e47075c .text C:\Windows\system32\wuauclt.exe[4912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe457ab4 5 bytes JMP 000007ff7e470b14 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d4fac0 5 bytes JMP 0000000100030600 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d4fb58 5 bytes JMP 0000000100030804 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d4fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d50038 5 bytes JMP 0000000100030a08 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077d51920 5 bytes JMP 0000000100030e10 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d6c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d71287 5 bytes JMP 00000001000303fc .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076f8a2ba 1 byte [62] .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000757b5181 5 bytes JMP 0000000100241014 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000757b5254 5 bytes JMP 0000000100240804 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757b53d5 5 bytes JMP 0000000100240a08 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757b54c2 5 bytes JMP 0000000100240c0c .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757b55e2 5 bytes JMP 0000000100240e10 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000757b567c 5 bytes JMP 00000001002401f8 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000757b589f 5 bytes JMP 00000001002403fc .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000757b5a22 5 bytes JMP 0000000100240600 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000765aee09 5 bytes JMP 00000001002501f8 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000765b3982 5 bytes JMP 00000001002503fc .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000765b7603 5 bytes JMP 0000000100250804 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000765b835c 5 bytes JMP 0000000100250600 .text C:\Users\Michaœ ^^\Downloads\slh707zl.exe[1712] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000765cf52b 5 bytes JMP 0000000100250a08 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104ef1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800104ecc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104f69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800104fa98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104f8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80049302c0 Device \FileSystem\fastfat \Fat fffffa8008eb32c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80070912c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006c8a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{F3B9BB4A-EFA9-40E3-89A2-D5B68F257E42} fffffa8006dc42c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80070912c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D8C87FF9-978A-4426-8951-626F8D170D4B} fffffa8006dc42c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80070912c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{62D433F3-2B1C-4E7E-B364-485B595338BD} fffffa8006dc42c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006dc42c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80070912c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{BBAF5943-0CD4-459D-91DC-9D3F73CB45CA}\Connection@Name Reusable Microsoft 6To4 Adapter Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{83BF35DF-7BE9-4EB0-9223-F32CFE557A0A}?\Device\{BF5C4189-DD23-45D5-ADB3-B6ED7B20160A}?\Device\{8E67B727-300B-4212-B6ED-21FFEE5CFF60}?\Device\{19C15401-D795-4224-86D7-AB05374B4136}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{83BF35DF-7BE9-4EB0-9223-F32CFE557A0A}"?"{BF5C4189-DD23-45D5-ADB3-B6ED7B20160A}"?"{8E67B727-300B-4212-B6ED-21FFEE5CFF60}"?"{19C15401-D795-4224-86D7-AB05374B4136}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{83BF35DF-7BE9-4EB0-9223-F32CFE557A0A}?\Device\TCPIP6TUNNEL_{BF5C4189-DD23-45D5-ADB3-B6ED7B20160A}?\Device\TCPIP6TUNNEL_{8E67B727-300B-4212-B6ED-21FFEE5CFF60}?\Device\TCPIP6TUNNEL_{19C15401-D795-4224-86D7-AB05374B4136}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 192 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 4403046 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@0023f1ded668 0xF2 0x20 0xBE 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@c819f730abd9 0x05 0xC2 0x4D 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@002403267f34 0x77 0xCE 0x64 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@a8e018ac002b 0x63 0xC0 0xE6 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@08edb9d9f6be 0x33 0x1D 0xEE 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@e8cba188698a 0xE3 0x15 0x59 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@b482fec0ac00 0x95 0xCC 0xD2 0x52 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@001194b1e30b 0x8A 0x9D 0xF8 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@60d0a9a321fe 0x52 0x47 0xE9 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca26d9e9@a826d92c35c4 0x8D 0xC0 0x31 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\6To4\{BBAF5943-0CD4-459D-91DC-9D3F73CB45CA}@InterfaceName Reusable Microsoft 6To4 Adapter Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\6To4\{BBAF5943-0CD4-459D-91DC-9D3F73CB45CA}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 15561 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 20611 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0xAA 0xB8 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{62D433F3-2B1C-4E7E-B364-485B595338BD}@LeaseObtainedTime 1389557588 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{62D433F3-2B1C-4E7E-B364-485B595338BD}@T1 1389557888 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{62D433F3-2B1C-4E7E-B364-485B595338BD}@T2 1389558113 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{62D433F3-2B1C-4E7E-B364-485B595338BD}@LeaseTerminatesTime 1389558188 Reg HKLM\SYSTEM\CurrentControlSet\services\{62D433F3-2B1C-4E7E-B364-485B595338BD}\Parameters\Tcpip@LeaseObtainedTime 1389557588 Reg HKLM\SYSTEM\CurrentControlSet\services\{62D433F3-2B1C-4E7E-B364-485B595338BD}\Parameters\Tcpip@T1 1389557888 Reg HKLM\SYSTEM\CurrentControlSet\services\{62D433F3-2B1C-4E7E-B364-485B595338BD}\Parameters\Tcpip@T2 1389558113 Reg HKLM\SYSTEM\CurrentControlSet\services\{62D433F3-2B1C-4E7E-B364-485B595338BD}\Parameters\Tcpip@LeaseTerminatesTime 1389558188 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 192 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 4403046 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@0023f1ded668 0xF2 0x20 0xBE 0x6E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@c819f730abd9 0x05 0xC2 0x4D 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@002403267f34 0x77 0xCE 0x64 0x85 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@a8e018ac002b 0x63 0xC0 0xE6 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@08edb9d9f6be 0x33 0x1D 0xEE 0x77 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@e8cba188698a 0xE3 0x15 0x59 0x4B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@b482fec0ac00 0x95 0xCC 0xD2 0x52 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@001194b1e30b 0x8A 0x9D 0xF8 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@60d0a9a321fe 0x52 0x47 0xE9 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca26d9e9@a826d92c35c4 0x8D 0xC0 0x31 0x91 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0xAA 0xB8 0x2B ... ---- EOF - GMER 2.1 ----