GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-06 01:17:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST320LT020-9YG142 rev.0003LVM1 298,09GB Running: xto3i9ef.exe; Driver: C:\Users\POWER\AppData\Local\Temp\awrdrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003408000 45 bytes [00, 00, 45, 00, 49, 72, 70, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff8000340802f 17 bytes [00, 30, 40, E0, 06, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100281018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100280018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100282018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100283018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100284018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100285018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\lsm.exe[528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 00000001000c1018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 00000001000c0018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 00000001000c2018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 00000001000c5018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 00000001000c6018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 00000001000c7018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007768f874 5 bytes JMP 00000001000c4018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000776a8c20 5 bytes JMP 00000001000c3018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\winlogon.exe[576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100181018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100180018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100182018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100185018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100186018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100187018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100181018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100180018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100182018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100185018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100186018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100187018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100d51018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100d50018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100d52018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100d55018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100d56018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 4 bytes JMP 0000000100d57018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\System32\svchost.exe[844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 00000001009b1018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 00000001009b0018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 00000001009b2018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 00000001009b5018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 00000001009b6018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 4 bytes JMP 00000001009b7018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100301018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100300018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100302018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100305018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100306018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100307018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101071018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101070018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101072018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101075018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101076018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 4 bytes JMP 0000000101077018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 ? C:\Windows\system32\tschannel.dll [928] entry point in ".rsrc" section 000007fefbff6894 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101871018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101870018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101872018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101875018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101876018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101877018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100aa1018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100aa0018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100aa2018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100aa5018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100aa6018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 4 bytes JMP 0000000100aa7018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 000000010025100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 000000010025000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 000000010025200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 000000010025c00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 000000010025e00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 000000010025f00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 000000010026200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 000000010026100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 000000010026300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 000000010025b00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 000000010025d00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 000000010026500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 000000010026400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [95, 89] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 000000010026000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 000000010025400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 000000010025300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 000000010025700c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 000000010025800c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 000000010025a00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 000000010025900c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 000000010025600c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 000000010025500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101e41018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101e40018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101e42018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101e45018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101e46018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101e47018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\taskhost.exe[1364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101de1018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101de0018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101de2018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101de5018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101de6018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101de7018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\Dwm.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000103661018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000103660018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000103662018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000103665018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000103666018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000103667018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007768f874 5 bytes JMP 0000000103664018 .text C:\Windows\Explorer.EXE[1432] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000776a8c20 5 bytes JMP 0000000103663018 .text C:\Program Files (x86)\F-Secure\apps\CCF_Reputation\fsorsp.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Program Files (x86)\F-Secure\apps\CCF_Reputation\fsorsp.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 000000010329100c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 000000010329000c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 000000010329200c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 000000010329c00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 000000010329e00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 000000010329f00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 00000001032a200c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 00000001032a100c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 00000001032a300c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 000000010329b00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 000000010329d00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 00000001032a500c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 00000001032a400c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [99, 8C] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 00000001032a000c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 000000010329700c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 000000010329800c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 000000010329a00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 000000010329900c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 000000010329600c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 000000010329500c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 000000010329400c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 000000010329300c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100495018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100496018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100497018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 000000010014100c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 000000010014000c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 000000010014200c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 000000010014c00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 000000010014e00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 000000010014f00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 000000010015200c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 000000010015100c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 000000010015300c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 000000010014b00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 000000010014d00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 000000010015500c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 000000010015400c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [84, 89] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 000000010015000c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 000000010014700c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 000000010014800c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 000000010014a00c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 000000010014900c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 000000010014600c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 000000010014500c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 000000010014400c .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[1916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 000000010014300c .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100481018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100480018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100482018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100485018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100486018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100487018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\System32\igfxtray.exe[2004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101cc1018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101cc0018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101cc2018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101cc5018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101cc6018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101cc7018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\System32\hkcmd.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101df1018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101df0018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101df2018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101df5018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101df6018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101df7018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\System32\igfxpers.exe[1228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 0000000102ac100c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 0000000102ac000c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 0000000102ac200c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 0000000102acc00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 0000000102ace00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 0000000102acf00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 0000000102ad200c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 0000000102ad100c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 0000000102ad300c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 0000000102acb00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 0000000102acd00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 0000000102ad500c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 0000000102ad400c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [1C, 8C] .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 0000000102ad000c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 0000000102ac400c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 0000000102ac300c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 0000000102ac700c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 0000000102ac800c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 0000000102aca00c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 0000000102ac900c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 0000000102ac600c .text C:\Windows\System32\hale.exe[1264] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 0000000102ac500c .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Windows\System32\hale.exe[1264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000101c21018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000101c20018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000101c22018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101c25018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101c26018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101c27018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100801018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100800018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100802018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100805018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100806018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 4 bytes JMP 0000000100807018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000101b95018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000101b96018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000101b97018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\WindowsMobile\wmdc.exe[376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 000000010029100c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 000000010029000c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 000000010029200c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 000000010029c00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 000000010029e00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 000000010029f00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 00000001002a200c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 00000001002a100c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 00000001002a300c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 000000010029b00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 000000010029d00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 00000001002a500c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 00000001002a400c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [99, 89] .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 00000001002a000c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 000000010029400c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 000000010029300c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 000000010029700c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 000000010029800c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 000000010029a00c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 000000010029900c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 000000010029600c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 000000010029500c .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Windows\SysWOW64\cmd.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100225018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100226018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100227018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2340] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 0000000100131018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 0000000100130018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 0000000100132018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100135018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100136018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100137018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\cmd.exe[2412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 00000001005c100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 00000001005c000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 00000001005c200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\kernel32.dll!OpenMutexA 000000007697ec57 5 bytes JMP 00000001005cc00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076983b7a 5 bytes JMP 00000001005ce00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000769d85d9 5 bytes JMP 00000001005cf00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 000000007690ce45 5 bytes JMP 00000001005d200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 000000007690dfea 5 bytes JMP 00000001005d100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 000000007690ec98 5 bytes JMP 00000001005d300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 0000000076910efc 5 bytes JMP 00000001005cb00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076911371 5 bytes JMP 00000001005cd00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 0000000076913986 5 bytes JMP 00000001005d500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076913e6b 2 bytes JMP 00000001005d400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 0000000076913e6e 2 bytes [CC, 89] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 000000007691923e 5 bytes JMP 00000001005d000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000761c4d5c 5 bytes JMP 00000001005c700c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000761c4dc3 5 bytes JMP 00000001005c800c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000761c567c 5 bytes JMP 00000001005ca00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000761c589f 5 bytes JMP 00000001005c900c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000761c714b 5 bytes JMP 00000001005c600c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000761c7245 5 bytes JMP 00000001005c500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ce7603 5 bytes JMP 00000001005c400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ce835c 5 bytes JMP 00000001005c300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100165018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100166018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100167018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100265018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100266018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100267018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 0000000100115018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 0000000100116018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 0000000100117018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\svchost.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[2292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[2292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000777d17e0 5 bytes JMP 00000001000f1018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000777d1d30 5 bytes JMP 00000001000f0018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000777d1de0 5 bytes JMP 00000001000f2018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\kernel32.dll!OpenMutexA 0000000077562ce0 5 bytes JMP 00000001000f5018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000775723d0 5 bytes JMP 00000001000f6018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 00000000775e9150 5 bytes JMP 00000001000f7018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd855440 5 bytes JMP 000007ff7e5d9018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd8583d0 5 bytes JMP 000007ff7e5d8018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd858ae0 5 bytes JMP 000007ff7e5d6018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd85c030 5 bytes JMP 000007ff7e5dd018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd8629c0 5 bytes JMP 000007ff7e5d7018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd865340 5 bytes JMP 000007ff7e5da018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd86aa90 5 bytes JMP 000007ff7e5dc018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd884320 5 bytes JMP 000007ff7e5db018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe5c642c 5 bytes JMP 000007ff7e5d2018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe5c6484 5 bytes JMP 000007ff7e5d1018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe5c6518 5 bytes JMP 000007ff7e5d3018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe5c6c34 5 bytes JMP 000007ff7e5d0018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5c75e8 5 bytes JMP 000007ff7e5d5018 .text C:\Windows\system32\AUDIODG.EXE[1992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5c790c 5 bytes JMP 000007ff7e5d4018 .text G:\6.PROGRAMY\ODZYSKIWANIE-RECOVERY\xto3i9ef.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007797ffcc 5 bytes JMP 000000010002100c .text G:\6.PROGRAMY\ODZYSKIWANIE-RECOVERY\xto3i9ef.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000779807f4 5 bytes JMP 000000010002000c .text G:\6.PROGRAMY\ODZYSKIWANIE-RECOVERY\xto3i9ef.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779808fc 5 bytes JMP 000000010002200c .text G:\6.PROGRAMY\ODZYSKIWANIE-RECOVERY\xto3i9ef.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a61465 2 bytes [A6, 76] .text G:\6.PROGRAMY\ODZYSKIWANIE-RECOVERY\xto3i9ef.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a614bb 2 bytes [A6, 76] .text ... * 2 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----