GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-04-26 14:33:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232A7A384 rev.ES2OA60W 298,09GB Running: m57g1hli.exe; Driver: C:\Users\ASUS\AppData\Local\Temp\aftcqaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fb2000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff80002fb2011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100271018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100270018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100272018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100275018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100276018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100277018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000077a2f874 5 bytes JMP 0000000100274018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077a48c20 5 bytes JMP 0000000100273018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\winlogon.exe[604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100271018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100270018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100272018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100273018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100274018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100275018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100301018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100300018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100302018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100305018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100306018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100307018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001002c1018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001002c0018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001002c2018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 00000001002c5018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 00000001002c6018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 00000001002c7018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100d21018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100d20018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100d22018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100d25018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100d26018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 4 bytes JMP 0000000100d27018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100e31018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100e30018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100e32018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100e35018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100e36018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 4 bytes JMP 0000000100e37018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100b51018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100b50018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100b52018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100b55018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 3 bytes JMP 0000000100b56018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CopyFileExW + 4 0000000077911894 1 byte [89] .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 4 bytes JMP 0000000100b57018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100d61018 .text C:\Windows\system32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100d60018 .text C:\Windows\system32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100d62018 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100c01018 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100c00018 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100c02018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100481018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100480018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100482018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100485018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100486018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100487018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\WLANExt.exe[1032] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010034100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010034000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010034200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 000000010034c00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 000000010034e00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 000000010034f00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 00000001003e200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 00000001003e100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 00000001003e300c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 000000010034b00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 000000010034d00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 00000001003e500c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 00000001003e400c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [E3, 88] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 00000001003e000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000076cd4d5c 5 bytes JMP 000000010034700c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000076cd4dc3 5 bytes JMP 000000010034800c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076cd567c 5 bytes JMP 000000010034a00c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076cd589f 5 bytes JMP 000000010034900c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000076cd714b 5 bytes JMP 000000010034600c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000076cd7245 5 bytes JMP 000000010034500c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747603 5 bytes JMP 000000010034400c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674835c 5 bytes JMP 000000010034300c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010003100c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010003000c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010003200c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 000000010003a00c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 000000010003c00c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1140] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 000000010003d00c .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100c61018 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100c60018 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100c62018 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001001a100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001001a000c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001001a200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 00000001001ac00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 00000001001ae00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 00000001001af00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 000000010032200c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 000000010032100c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 000000010032300c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 00000001001ab00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 00000001001ad00c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 000000010032500c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 000000010032400c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [D7, 88] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 000000010032000c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001004b100c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001004b000c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001004b200c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 00000001004bc00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 00000001004be00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 00000001004bf00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 000000010064200c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 000000010064100c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 000000010064300c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 00000001004bb00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 00000001004bd00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 000000010064500c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 000000010064400c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [09, 89] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 000000010064000c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000076cd4d5c 5 bytes JMP 00000001004b700c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000076cd4dc3 5 bytes JMP 00000001004b800c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076cd567c 5 bytes JMP 00000001004ba00c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076cd589f 5 bytes JMP 00000001004b900c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000076cd714b 5 bytes JMP 00000001004b600c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1552] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000076cd7245 5 bytes JMP 00000001004b500c .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001001e1018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001001e0018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001001e2018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 00000001001e5018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 00000001001e6018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 00000001001e7018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010076100c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010076000c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010076200c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 000000010076c00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 000000010076e00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 000000010076f00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 000000010077200c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 000000010077100c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 000000010077300c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 000000010076b00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 000000010076d00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 000000010077500c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 000000010077400c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [1C, 89] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 000000010077000c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000076cd4d5c 5 bytes JMP 000000010076700c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000076cd4dc3 5 bytes JMP 000000010076800c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076cd567c 5 bytes JMP 000000010076a00c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076cd589f 5 bytes JMP 000000010076900c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000076cd714b 5 bytes JMP 000000010076600c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000076cd7245 5 bytes JMP 000000010076500c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747603 5 bytes JMP 000000010076400c .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1644] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674835c 5 bytes JMP 000000010076300c .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100131018 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100130018 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100132018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100b71018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100b70018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100b72018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100b75018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100b76018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 4 bytes JMP 0000000100b77018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 0000000102f9100c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 0000000102f9000c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 0000000102f9200c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 0000000102f9c00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 0000000102f9e00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 0000000102f9f00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 0000000102fa200c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 0000000102fa100c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 0000000102fa300c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 0000000102f9b00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 0000000102f9d00c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 0000000102fa500c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 0000000102fa400c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [9F, 8B] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 0000000102fa000c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747603 5 bytes JMP 0000000102f9400c .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674835c 5 bytes JMP 0000000102f9300c .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001001e1018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001001e0018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001001e2018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 00000001001e5018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 00000001001e6018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 00000001001e7018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1464] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001000b1018 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001000b0018 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001000b2018 .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001000b100c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001000b000c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001000b200c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 00000001000bc00c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 00000001000be00c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 00000001000bf00c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 00000001000c200c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 00000001000c100c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 00000001000c300c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 00000001000bb00c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 00000001000bd00c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 00000001000c500c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 00000001000c400c .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [B1, 88] .text C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe[1356] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 00000001000c000c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001005f100c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001005f000c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001005f200c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 00000001005fc00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 00000001005fe00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 00000001005ff00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 00000001007c200c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 00000001007c100c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 00000001007c300c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 00000001005fb00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 00000001005fd00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 00000001007c500c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 00000001007c400c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [21, 89] .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 00000001007c000c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000076cd4d5c 5 bytes JMP 00000001005f700c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000076cd4dc3 5 bytes JMP 00000001005f800c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076cd567c 5 bytes JMP 00000001005fa00c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076cd589f 5 bytes JMP 00000001005f900c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000076cd714b 5 bytes JMP 00000001005f600c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000076cd7245 5 bytes JMP 00000001005f500c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747603 5 bytes JMP 00000001005f400c .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[1344] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674835c 5 bytes JMP 00000001005f300c .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001002a1018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001002a0018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001002a2018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 00000001002a5018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 00000001002a6018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 00000001002a7018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\wbem\unsecapp.exe[2716] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100121018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100120018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100122018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100125018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100126018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100127018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\taskeng.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100211018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100210018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100212018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100215018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100216018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100217018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\Dwm.exe[3924] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Windows\Explorer.EXE[3952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100211018 .text C:\Windows\Explorer.EXE[3952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100210018 .text C:\Windows\Explorer.EXE[3952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100212018 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010026100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010026000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4028] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010026200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[4028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100191018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100190018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100192018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 0000000100195018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 0000000100196018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 0000000100197018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\taskeng.exe[1284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010024100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010024000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010024200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010024100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010024000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010024200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010026100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010026000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3432] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010026200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[3432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001001e1018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001001e0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001001e2018 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100331018 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100330018 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100332018 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100711018 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100710018 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100712018 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100271018 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100270018 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100272018 .text C:\Windows\System32\rundll32.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100211018 .text C:\Windows\System32\rundll32.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100210018 .text C:\Windows\System32\rundll32.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100212018 .text C:\Windows\System32\hkcmd.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001001f1018 .text C:\Windows\System32\hkcmd.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001001f0018 .text C:\Windows\System32\hkcmd.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001001f2018 .text C:\Windows\System32\igfxpers.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 0000000100321018 .text C:\Windows\System32\igfxpers.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 0000000100320018 .text C:\Windows\System32\igfxpers.exe[208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 0000000100322018 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001004e1018 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001004e0018 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[1708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001004e2018 .text C:\Program Files\Windows Sidebar\sidebar.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001003a1018 .text C:\Program Files\Windows Sidebar\sidebar.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001003a0018 .text C:\Program Files\Windows Sidebar\sidebar.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001003a2018 .text C:\Users\ASUS\AppData\Local\GG\Application\gghub.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010014100c .text C:\Users\ASUS\AppData\Local\GG\Application\gghub.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010014000c .text C:\Users\ASUS\AppData\Local\GG\Application\gghub.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010014200c .text C:\Users\ASUS\AppData\Local\GG\Application\gghub.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Users\ASUS\AppData\Local\GG\Application\gghub.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010002100c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010002000c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010002200c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010026100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010026000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010026200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010024100c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010024000c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4336] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010024200c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001001e100c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001001e000c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001001e200c .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 00000001003c100c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 00000001003c000c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 00000001003c200c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[4768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077b71780 5 bytes JMP 00000001000f1018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077b71cd0 5 bytes JMP 00000001000f0018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077b71d80 5 bytes JMP 00000001000f2018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000779027e0 5 bytes JMP 00000001000f5018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077911890 5 bytes JMP 00000001000f6018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077989090 5 bytes JMP 00000001000f7018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd9e5140 5 bytes JMP 000007ff7fb89018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd9e8100 5 bytes JMP 000007ff7fb88018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd9e9420 5 bytes JMP 000007ff7fb86018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd9e9d80 5 bytes JMP 000007ff7fb8c018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd9ec450 5 bytes JMP 000007ff7fb8d018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd9f2af0 5 bytes JMP 000007ff7fb87018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd9f5470 5 bytes JMP 000007ff7fb8a018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefda14350 5 bytes JMP 000007ff7fb8b018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007feffb7642c 5 bytes JMP 000007ff7fb82018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007feffb76484 5 bytes JMP 000007ff7fb81018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007feffb76518 5 bytes JMP 000007ff7fb83018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007feffb76c34 5 bytes JMP 000007ff7fb80018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb775e8 5 bytes JMP 000007ff7fb85018 .text C:\Windows\system32\wbem\unsecapp.exe[4900] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb7790c 5 bytes JMP 000007ff7fb84018 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010027100c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010027000c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010027200c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000772dec3f 5 bytes JMP 000000010027c00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000772e3b62 5 bytes JMP 000000010027e00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 00000000773389d1 5 bytes JMP 000000010027f00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000775ace45 5 bytes JMP 000000010029200c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000775adfea 5 bytes JMP 000000010029100c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000775aec98 5 bytes JMP 000000010029300c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000775b0efc 5 bytes JMP 000000010027b00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000775b1371 5 bytes JMP 000000010027d00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000775b3986 5 bytes JMP 000000010029500c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000775b3e6b 2 bytes JMP 000000010029400c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx + 3 00000000775b3e6e 2 bytes [CE, 88] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000775b923e 5 bytes JMP 000000010029000c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076747603 5 bytes JMP 000000010027400c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007674835c 5 bytes JMP 000000010027300c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000076cd4d5c 5 bytes JMP 000000010027700c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000076cd4dc3 5 bytes JMP 000000010027800c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076cd567c 5 bytes JMP 000000010027a00c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076cd589f 5 bytes JMP 000000010027900c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000076cd714b 5 bytes JMP 000000010027600c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000076cd7245 5 bytes JMP 000000010027500c .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[1596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\WinRAR\WinRAR.exe[6376] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010009100c .text C:\Program Files (x86)\WinRAR\WinRAR.exe[6376] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010009000c .text C:\Program Files (x86)\WinRAR\WinRAR.exe[6376] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010009200c .text C:\Program Files (x86)\WinRAR\WinRAR.exe[6376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\WinRAR\WinRAR.exe[6376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [6376] entry point in ".rdata" section 00000000731c71e6 .text C:\Users\ASUS\AppData\Local\Temp\Rar$EXa0.530\m57g1hli.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077d1ffec 5 bytes JMP 000000010002100c .text C:\Users\ASUS\AppData\Local\Temp\Rar$EXa0.530\m57g1hli.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077d20814 5 bytes JMP 000000010002000c .text C:\Users\ASUS\AppData\Local\Temp\Rar$EXa0.530\m57g1hli.exe[6632] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077d2091c 5 bytes JMP 000000010002200c .text C:\Users\ASUS\AppData\Local\Temp\Rar$EXa0.530\m57g1hli.exe[6632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Users\ASUS\AppData\Local\Temp\Rar$EXa0.530\m57g1hli.exe[6632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}\Connection@Name isatap.{F8B53D2D-109C-43F8-81D2-98B67F4AF375} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{56D9215E-F93D-483E-943C-EBCD0B64DE0C}?\Device\{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}?\Device\{8BF4CBA0-185F-43F5-AD45-F94798748510}?\Device\{0B229721-D9F5-45DF-85E3-E1CC7E13B1EC}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{56D9215E-F93D-483E-943C-EBCD0B64DE0C}"?"{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}"?"{8BF4CBA0-185F-43F5-AD45-F94798748510}"?"{0B229721-D9F5-45DF-85E3-E1CC7E13B1EC}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{56D9215E-F93D-483E-943C-EBCD0B64DE0C}?\Device\TCPIP6TUNNEL_{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}?\Device\TCPIP6TUNNEL_{8BF4CBA0-185F-43F5-AD45-F94798748510}?\Device\TCPIP6TUNNEL_{0B229721-D9F5-45DF-85E3-E1CC7E13B1EC}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}@InterfaceName isatap.{F8B53D2D-109C-43F8-81D2-98B67F4AF375} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{BEBB9458-F948-4DE7-A2AF-E5E8D5FFAD6A}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 27977 ---- EOF - GMER 2.1 ----