GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-29 21:11:43 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: venishkc.exe; Driver: C:\Users\sandoz\AppData\Local\Temp\uwldypob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8FC0A340, 0x3FC377, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA6F0A300, 0x3AF78, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA6F4D300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 002420B5 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 002421B7 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 0024222F .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 00242239 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 00242103 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 002421F5 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 00242176 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 00242128 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0024228F .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 00242151 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 00242211 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0024209A .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 002420C3 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 00242203 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 00242247 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 00242247 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 0024210D .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0024219C .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 00242136 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0024207F .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 0024215B .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 0024221B .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 00242225 .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 002420DE .text C:\Windows\system32\cmd.exe[304] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 002420E8 .text C:\Windows\system32\cmd.exe[304] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 002422EE .text C:\Windows\system32\cmd.exe[304] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 0024230E .text C:\Windows\system32\cmd.exe[304] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 00036C22 .text C:\Windows\system32\cmd.exe[304] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 00036C40 .text C:\Windows\system32\cmd.exe[304] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 0024232E .text C:\Windows\system32\cmd.exe[304] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 00036BF4 .text C:\Windows\system32\cmd.exe[304] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 00036BDE .text C:\Windows\system32\cmd.exe[304] USER32.dll!SetFocus 77703684 5 Bytes JMP 00036BE8 .text C:\Windows\system32\cmd.exe[304] USER32.dll!GetFocus 77710B40 5 Bytes JMP 00036BE3 .text C:\Windows\system32\cmd.exe[304] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 00036C0E .text C:\Windows\system32\cmd.exe[304] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 00036C1A .text C:\Windows\system32\cmd.exe[304] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 00036C1A .text C:\Windows\system32\cmd.exe[304] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 00036C1A .text C:\Windows\system32\cmd.exe[304] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 00036C1A .text C:\Windows\system32\cmd.exe[304] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 00036BD5 .text C:\Windows\system32\cmd.exe[304] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000373FA .text C:\Windows\system32\cmd.exe[304] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000373E8 .text C:\Windows\system32\cmd.exe[304] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 00242365 .text C:\Windows\system32\cmd.exe[304] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 00242340 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 003A3635 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 003A3737 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 003A37AF .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 003A37B9 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 003A3683 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 003A3775 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 003A36F6 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 003A36A8 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 003A380F .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 003A36D1 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 003A3791 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 003A361A .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 003A3643 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 003A3783 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 003A37C7 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 003A37C7 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 003A368D .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 003A371C .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 003A36B6 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 003A35FF .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 003A36DB .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 003A379B .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 003A37A5 .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 003A365E .text C:\Windows\system32\dllhost.exe[704] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 003A3668 .text C:\Windows\system32\dllhost.exe[704] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 003A386E .text C:\Windows\system32\dllhost.exe[704] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 003A388E .text C:\Windows\system32\dllhost.exe[704] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000B61A2 .text C:\Windows\system32\dllhost.exe[704] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000B61C0 .text C:\Windows\system32\dllhost.exe[704] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000B6155 .text C:\Windows\system32\dllhost.exe[704] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 003A38AE .text C:\Windows\system32\dllhost.exe[704] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000B6174 .text C:\Windows\system32\dllhost.exe[704] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000B615E .text C:\Windows\system32\dllhost.exe[704] USER32.dll!SetFocus 77703684 5 Bytes JMP 000B6168 .text C:\Windows\system32\dllhost.exe[704] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000B6163 .text C:\Windows\system32\dllhost.exe[704] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000B618E .text C:\Windows\system32\dllhost.exe[704] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000B619A .text C:\Windows\system32\dllhost.exe[704] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000B619A .text C:\Windows\system32\dllhost.exe[704] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000B619A .text C:\Windows\system32\dllhost.exe[704] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000B619A .text C:\Windows\system32\dllhost.exe[704] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000B697A .text C:\Windows\system32\dllhost.exe[704] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000B6968 .text C:\Windows\system32\dllhost.exe[704] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 003A38E5 .text C:\Windows\system32\dllhost.exe[704] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 003A38C0 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 00294455 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 00294557 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 002945CF .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 002945D9 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 002944A3 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 00294595 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 00294516 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 002944C8 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0029462F .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 002944F1 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtDeleteFile 77A845A0 2 Bytes JMP 002945B1 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtDeleteFile + 3 77A845A3 2 Bytes [81, 88] .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0029443A .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 00294463 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 002945A3 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 002945E7 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 002945E7 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 002944AD .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0029453C .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 002944D6 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0029441F .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 002944FB .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 002945BB .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 002945C5 .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 0029447E .text C:\Windows\system32\cmd.exe[4204] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 00294488 .text C:\Windows\system32\cmd.exe[4204] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 0029468E .text C:\Windows\system32\cmd.exe[4204] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 002946AE .text C:\Windows\system32\cmd.exe[4204] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 00105FA2 .text C:\Windows\system32\cmd.exe[4204] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 00105FC0 .text C:\Windows\system32\cmd.exe[4204] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 002946CE .text C:\Windows\system32\cmd.exe[4204] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 00105F74 .text C:\Windows\system32\cmd.exe[4204] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 00105F5E .text C:\Windows\system32\cmd.exe[4204] USER32.dll!SetFocus 77703684 5 Bytes JMP 00105F68 .text C:\Windows\system32\cmd.exe[4204] USER32.dll!GetFocus 77710B40 5 Bytes JMP 00105F63 .text C:\Windows\system32\cmd.exe[4204] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 00105F8E .text C:\Windows\system32\cmd.exe[4204] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 00105F9A .text C:\Windows\system32\cmd.exe[4204] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 00105F9A .text C:\Windows\system32\cmd.exe[4204] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 00105F9A .text C:\Windows\system32\cmd.exe[4204] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 00105F9A .text C:\Windows\system32\cmd.exe[4204] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 00105F55 .text C:\Windows\system32\cmd.exe[4204] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 001067A5 .text C:\Windows\system32\cmd.exe[4204] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 001067BD .text C:\Windows\system32\cmd.exe[4204] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 0010677A .text C:\Windows\system32\cmd.exe[4204] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 00106768 .text C:\Windows\system32\cmd.exe[4204] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 00294705 .text C:\Windows\system32\cmd.exe[4204] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 002946E0 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 0044B995 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 0044BA97 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 0044BB0F .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 0044BB19 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 0044B9E3 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 0044BAD5 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 0044BA56 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 0044BA08 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0044BB6F .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 0044BA31 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 0044BAF1 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0044B97A .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 0044B9A3 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 0044BAE3 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 0044BB27 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 0044BB27 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 0044B9ED .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0044BA7C .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 0044BA16 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0044B95F .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 0044BA3B .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 0044BAFB .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 0044BB05 .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 0044B9BE .text C:\Windows\system32\msiexec.exe[4396] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 0044B9C8 .text C:\Windows\system32\msiexec.exe[4396] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 0044BBCE .text C:\Windows\system32\msiexec.exe[4396] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 0044BBEE .text C:\Windows\system32\msiexec.exe[4396] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000C5422 .text C:\Windows\system32\msiexec.exe[4396] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000C5440 .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 0044BC0E .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000C53F4 .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000C53DE .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!SetFocus 77703684 5 Bytes JMP 000C53E8 .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000C53E3 .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000C540E .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000C541A .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000C541A .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000C541A .text C:\Windows\system32\msiexec.exe[4396] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000C541A .text C:\Windows\system32\msiexec.exe[4396] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000C53D5 .text C:\Windows\system32\msiexec.exe[4396] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000C5BFA .text C:\Windows\system32\msiexec.exe[4396] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000C5BE8 .text C:\Windows\system32\msiexec.exe[4396] Secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 0044BC45 .text C:\Windows\system32\msiexec.exe[4396] Secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 0044BC20 .text C:\Windows\system32\msiexec.exe[4396] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000C5C25 .text C:\Windows\system32\msiexec.exe[4396] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000C5C3D .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 00721C15 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 00721D17 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 00721D8F .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 00721D99 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 00721C63 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 00721D55 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 00721CD6 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 00721C88 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 00721DEF .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 00721CB1 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 00721D71 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 00721BFA .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 00721C23 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 00721D63 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 00721DA7 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 00721DA7 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 00721C6D .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 00721CFC .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 00721C96 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 00721BDF .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 00721CBB .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 00721D7B .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 00721D85 .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 00721C3E .text C:\Windows\system32\cmd.exe[4584] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 00721C48 .text C:\Windows\system32\cmd.exe[4584] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00721E4E .text C:\Windows\system32\cmd.exe[4584] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 00721E6E .text C:\Windows\system32\cmd.exe[4584] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000F5BE2 .text C:\Windows\system32\cmd.exe[4584] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000F5C00 .text C:\Windows\system32\cmd.exe[4584] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 00721E8E .text C:\Windows\system32\cmd.exe[4584] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000F5BB4 .text C:\Windows\system32\cmd.exe[4584] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000F5B9E .text C:\Windows\system32\cmd.exe[4584] USER32.dll!SetFocus 77703684 5 Bytes JMP 000F5BA8 .text C:\Windows\system32\cmd.exe[4584] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000F5BA3 .text C:\Windows\system32\cmd.exe[4584] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000F5BCE .text C:\Windows\system32\cmd.exe[4584] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000F5BDA .text C:\Windows\system32\cmd.exe[4584] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000F5BDA .text C:\Windows\system32\cmd.exe[4584] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000F5BDA .text C:\Windows\system32\cmd.exe[4584] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000F5BDA .text C:\Windows\system32\cmd.exe[4584] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000F5B95 .text C:\Windows\system32\cmd.exe[4584] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000F63E5 .text C:\Windows\system32\cmd.exe[4584] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000F63FD .text C:\Windows\system32\cmd.exe[4584] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000F63BA .text C:\Windows\system32\cmd.exe[4584] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000F63A8 .text C:\Windows\system32\cmd.exe[4584] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 00721EC5 .text C:\Windows\system32\cmd.exe[4584] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 00721EA0 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 008B21B5 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 008B22B7 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 008B232F .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 008B2339 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 008B2203 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 008B22F5 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 008B2276 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 008B2228 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 008B238F .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 008B2251 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 008B2311 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 008B219A .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 008B21C3 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 008B2303 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 008B2347 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 008B2347 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 008B220D .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 008B229C .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 008B2236 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 008B217F .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 008B225B .text C:\Windows\explorer.exe[4816] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 008B231B .text C:\Windows\explorer.exe[4816] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 008B2325 .text C:\Windows\explorer.exe[4816] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 008B21DE .text C:\Windows\explorer.exe[4816] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 008B21E8 .text C:\Windows\explorer.exe[4816] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 008B23EE .text C:\Windows\explorer.exe[4816] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 008B240E .text C:\Windows\explorer.exe[4816] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000B4FA2 .text C:\Windows\explorer.exe[4816] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000B4FC0 .text C:\Windows\explorer.exe[4816] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 008B242E .text C:\Windows\explorer.exe[4816] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000B4F74 .text C:\Windows\explorer.exe[4816] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000B4F5E .text C:\Windows\explorer.exe[4816] USER32.dll!SetFocus 77703684 5 Bytes JMP 000B4F68 .text C:\Windows\explorer.exe[4816] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000B4F63 .text C:\Windows\explorer.exe[4816] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000B4F8E .text C:\Windows\explorer.exe[4816] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000B4F9A .text C:\Windows\explorer.exe[4816] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000B4F9A .text C:\Windows\explorer.exe[4816] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000B4F9A .text C:\Windows\explorer.exe[4816] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000B4F9A .text C:\Windows\explorer.exe[4816] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000B577A .text C:\Windows\explorer.exe[4816] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000B5768 .text C:\Windows\explorer.exe[4816] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000B4F55 .text C:\Windows\explorer.exe[4816] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000B57A5 .text C:\Windows\explorer.exe[4816] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000B57BD .text C:\Windows\explorer.exe[4816] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 008B2465 .text C:\Windows\explorer.exe[4816] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 008B2440 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 00556BF5 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 00556CF7 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 00556D6F .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 00556D79 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 00556C43 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 00556D35 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 00556CB6 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 00556C68 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 00556DCF .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 00556C91 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 00556D51 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 00556BDA .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 00556C03 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 00556D43 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 00556D87 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 00556D87 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 00556C4D .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 00556CDC .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 00556C76 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 00556BBF .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 00556C9B .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 00556D5B .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 00556D65 .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 00556C1E .text C:\Windows\system32\msiexec.exe[5492] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 00556C28 .text C:\Windows\system32\msiexec.exe[5492] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00556E2E .text C:\Windows\system32\msiexec.exe[5492] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 00556E4E .text C:\Windows\system32\msiexec.exe[5492] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000C66E2 .text C:\Windows\system32\msiexec.exe[5492] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000C6700 .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 00556E6E .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000C66B4 .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000C669E .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!SetFocus 77703684 5 Bytes JMP 000C66A8 .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000C66A3 .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000C66CE .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000C66DA .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000C66DA .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000C66DA .text C:\Windows\system32\msiexec.exe[5492] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000C66DA .text C:\Windows\system32\msiexec.exe[5492] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000C6695 .text C:\Windows\system32\msiexec.exe[5492] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000C6EBA .text C:\Windows\system32\msiexec.exe[5492] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000C6EA8 .text C:\Windows\system32\msiexec.exe[5492] Secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 00556EA5 .text C:\Windows\system32\msiexec.exe[5492] Secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 00556E80 .text C:\Windows\system32\msiexec.exe[5492] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000C6EE5 .text C:\Windows\system32\msiexec.exe[5492] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000C6EFD .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 001CC475 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 001CC577 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 001CC5EF .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 001CC5F9 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 001CC4C3 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 001CC5B5 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 001CC536 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 001CC4E8 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 001CC64F .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 001CC511 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 001CC5D1 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 001CC45A .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 001CC483 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 001CC5C3 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 001CC607 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 001CC607 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 001CC4CD .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 001CC55C .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 001CC4F6 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 001CC43F .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 001CC51B .text C:\Windows\notepad.exe[5600] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 001CC5DB .text C:\Windows\notepad.exe[5600] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 001CC5E5 .text C:\Windows\notepad.exe[5600] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 001CC49E .text C:\Windows\notepad.exe[5600] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 001CC4A8 .text C:\Windows\notepad.exe[5600] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 001CC6AE .text C:\Windows\notepad.exe[5600] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 001CC6CE .text C:\Windows\notepad.exe[5600] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000B6EA2 .text C:\Windows\notepad.exe[5600] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000B6EC0 .text C:\Windows\notepad.exe[5600] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 001CC6EE .text C:\Windows\notepad.exe[5600] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000B6E74 .text C:\Windows\notepad.exe[5600] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000B6E5E .text C:\Windows\notepad.exe[5600] USER32.dll!SetFocus 77703684 5 Bytes JMP 000B6E68 .text C:\Windows\notepad.exe[5600] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000B6E63 .text C:\Windows\notepad.exe[5600] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000B6E8E .text C:\Windows\notepad.exe[5600] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000B6E9A .text C:\Windows\notepad.exe[5600] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000B6E9A .text C:\Windows\notepad.exe[5600] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000B6E9A .text C:\Windows\notepad.exe[5600] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000B6E9A .text C:\Windows\notepad.exe[5600] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000B767A .text C:\Windows\notepad.exe[5600] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000B7668 .text C:\Windows\notepad.exe[5600] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000B6E55 .text C:\Windows\notepad.exe[5600] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000B76A5 .text C:\Windows\notepad.exe[5600] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000B76BD .text C:\Windows\notepad.exe[5600] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 001CC725 .text C:\Windows\notepad.exe[5600] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 001CC700 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 0037BF95 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 0037C097 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 0037C10F .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 0037C119 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 0037BFE3 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 0037C0D5 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 0037C056 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 0037C008 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0037C16F .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 0037C031 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 0037C0F1 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0037BF7A .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 0037BFA3 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 0037C0E3 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 0037C127 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 0037C127 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 0037BFED .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0037C07C .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 0037C016 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0037BF5F .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 0037C03B .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 0037C0FB .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 0037C105 .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 0037BFBE .text C:\Windows\system32\msiexec.exe[5756] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 0037BFC8 .text C:\Windows\system32\msiexec.exe[5756] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 0037C1CE .text C:\Windows\system32\msiexec.exe[5756] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 0037C1EE .text C:\Windows\system32\msiexec.exe[5756] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000C52A2 .text C:\Windows\system32\msiexec.exe[5756] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000C52C0 .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 0037C20E .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000C5274 .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000C525E .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!SetFocus 77703684 5 Bytes JMP 000C5268 .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000C5263 .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000C528E .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000C529A .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000C529A .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000C529A .text C:\Windows\system32\msiexec.exe[5756] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000C529A .text C:\Windows\system32\msiexec.exe[5756] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000C5255 .text C:\Windows\system32\msiexec.exe[5756] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000C5A7A .text C:\Windows\system32\msiexec.exe[5756] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000C5A68 .text C:\Windows\system32\msiexec.exe[5756] Secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 0037C245 .text C:\Windows\system32\msiexec.exe[5756] Secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 0037C220 .text C:\Windows\system32\msiexec.exe[5756] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000C5AA5 .text C:\Windows\system32\msiexec.exe[5756] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000C5ABD .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 0055DE55 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 0055DF57 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 0055DFCF .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 0055DFD9 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 0055DEA3 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 0055DF95 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 0055DF16 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 0055DEC8 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0055E02F .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 0055DEF1 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 0055DFB1 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0055DE3A .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 0055DE63 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 0055DFA3 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 0055DFE7 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 0055DFE7 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 0055DEAD .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0055DF3C .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 0055DED6 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0055DE1F .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 0055DEFB .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 0055DFBB .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 0055DFC5 .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 0055DE7E .text C:\Windows\system32\msiexec.exe[5768] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 0055DE88 .text C:\Windows\system32\msiexec.exe[5768] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 0055E08E .text C:\Windows\system32\msiexec.exe[5768] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 0055E0AE .text C:\Windows\system32\msiexec.exe[5768] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 00116722 .text C:\Windows\system32\msiexec.exe[5768] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 00116740 .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 0055E0CE .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 001166F4 .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 001166DE .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!SetFocus 77703684 5 Bytes JMP 001166E8 .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!GetFocus 77710B40 5 Bytes JMP 001166E3 .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 0011670E .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 0011671A .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 0011671A .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 0011671A .text C:\Windows\system32\msiexec.exe[5768] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 0011671A .text C:\Windows\system32\msiexec.exe[5768] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 001166D5 .text C:\Windows\system32\msiexec.exe[5768] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 00116EFA .text C:\Windows\system32\msiexec.exe[5768] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 00116EE8 .text C:\Windows\system32\msiexec.exe[5768] Secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 0055E105 .text C:\Windows\system32\msiexec.exe[5768] Secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 0055E0E0 .text C:\Windows\system32\msiexec.exe[5768] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 00116F25 .text C:\Windows\system32\msiexec.exe[5768] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 00116F3D .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateEvent 77A841A0 5 Bytes JMP 0020B695 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateFile 77A841C0 5 Bytes JMP 0020B797 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateIoCompletion 77A841D0 5 Bytes JMP 0020B80F .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateKey 77A84200 5 Bytes JMP 0020B819 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateMutant 77A84230 5 Bytes JMP 0020B6E3 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateNamedPipeFile 77A84240 5 Bytes JMP 0020B7D5 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateSection 77A842B0 5 Bytes JMP 0020B756 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateSemaphore 77A842C0 5 Bytes JMP 0020B708 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateThread 77A842E0 5 Bytes JMP 0020B86F .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateTimer 77A842F0 5 Bytes JMP 0020B731 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtDeleteFile 77A845A0 5 Bytes JMP 0020B7F1 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenDirectoryObject 77A84970 5 Bytes JMP 0020B67A .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenEvent 77A84980 5 Bytes JMP 0020B6A3 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenFile 77A849A0 5 Bytes JMP 0020B7E3 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenIoCompletion 77A849B0 5 Bytes JMP 0020B827 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenKey 77A849D0 5 Bytes JMP 0020B827 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenMutant 77A849F0 5 Bytes JMP 0020B6ED .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenSection 77A84A50 5 Bytes JMP 0020B77C .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenSemaphore 77A84A60 5 Bytes JMP 0020B716 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenSymbolicLinkObject 77A84A80 5 Bytes JMP 0020B65F .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenTimer 77A84AC0 5 Bytes JMP 0020B73B .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtQueryAttributesFile 77A84B40 5 Bytes JMP 0020B7FB .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtQueryFullAttributesFile 77A84BF0 5 Bytes JMP 0020B805 .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtCreateKeyedEvent 77A85480 5 Bytes JMP 0020B6BE .text C:\Windows\system32\PresentationHost.exe[5856] ntdll.dll!NtOpenKeyedEvent 77A85490 5 Bytes JMP 0020B6C8 .text C:\Windows\system32\PresentationHost.exe[5856] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 0020B8CE .text C:\Windows\system32\PresentationHost.exe[5856] kernel32.dll!CreateProcessInternalW 764A5477 5 Bytes JMP 0020B8EE .text C:\Windows\system32\PresentationHost.exe[5856] kernel32.dll!CompareStringA 764C79B3 5 Bytes JMP 000B5722 .text C:\Windows\system32\PresentationHost.exe[5856] kernel32.dll!CreateThread 764CCBEE 5 Bytes JMP 000B5740 .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!OpenDesktopW 776FB681 5 Bytes JMP 0020B90E .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!PostMessageA 776FF8F8 5 Bytes JMP 000B56F4 .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!GetForegroundWindow 777032C4 5 Bytes JMP 000B56DE .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!SetFocus 77703684 5 Bytes JMP 000B56E8 .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!GetFocus 77710B40 5 Bytes JMP 000B56E3 .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!GetCursorPos 77710B88 5 Bytes JMP 000B570E .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!DialogBoxParamW 777210B0 5 Bytes JMP 000B571A .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!DialogBoxIndirectParamW 77722EF5 5 Bytes JMP 000B571A .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!DialogBoxParamA 77738152 5 Bytes JMP 000B571A .text C:\Windows\system32\PresentationHost.exe[5856] USER32.dll!DialogBoxIndirectParamA 7773847D 5 Bytes JMP 000B571A .text C:\Windows\system32\PresentationHost.exe[5856] ole32.dll!CoCreateInstance 76389E4E 5 Bytes JMP 000B56D5 .text C:\Windows\system32\PresentationHost.exe[5856] SHLWAPI.dll!GetAcceptLanguagesW 776114B3 5 Bytes JMP 000B5EFA .text C:\Windows\system32\PresentationHost.exe[5856] SHLWAPI.dll!GetAcceptLanguagesA 77643AFC 5 Bytes JMP 000B5EE8 .text C:\Windows\system32\PresentationHost.exe[5856] WS2_32.dll!GetAddrInfoW 76583D12 5 Bytes JMP 000B5F25 .text C:\Windows\system32\PresentationHost.exe[5856] WS2_32.dll!GetAddrInfoExW 7659288D 5 Bytes JMP 000B5F3D .text C:\Windows\system32\PresentationHost.exe[5856] secur32.dll!FreeCredentialsHandle 75F73598 5 Bytes JMP 0020B945 .text C:\Windows\system32\PresentationHost.exe[5856] secur32.dll!AcquireCredentialsHandleA 75F78A43 5 Bytes JMP 0020B920 ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08@002668a444e1 0xC5 0x1A 0x14 0x79 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 20283 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08@002668a444e1 0xC5 0x1A 0x14 0x79 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS02F28.log 131072 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS02F29.log 131072 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\gw[1].js 6157 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\g_-_150x100_-_s_69040x20151222152054_0[1].jpg 5232 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\g_-_150x100_-_s_69093x20151223153659_0[1].jpg 3647 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\g_-_150x100_-_s_69138x20151228140938_0[1].jpg 4867 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\g_-_39x39_-_s_13091x20130323112441_0[1].png 1584 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\g_-_39x39_-_s_21590x20111230132007_0[1].png 1638 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\data_pollster_pl[1].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\index300x250[1].htm 51874 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\pinit_fg_en_rect_gray_28[1].png 1422 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\background_gradient[1] 453 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\si[1].htm 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\imgThrobberGrey_30x30[1].gif 2373 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\ad[1].js 2 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\ad[2].js 2 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\rek_www_wp_pl[1].js 20818 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NQAMV6VY\36[1].js 3993 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CZUTH0NB\ga-audiences[2].htm 376 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4DLQ9O2F\outstream[1].js 3565 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4DLQ9O2F\diggerwidget[1].htm 2311 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5542XRPR\wicket-event[1].js 3811 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5542XRPR\tooltip[1].js 16474 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V48A0RHO\wirtualna_polska_3300x300[1].jpg 40485 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XT0JFAPH\page[1].htm 131072 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XT0JFAPH\9d3a0031-ce91-48c7-b796-f76a55fe9afd[1].jpg 47438 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XT0JFAPH\log_pinterest_com[1] 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CMBSE32N\monitoridentification[1].js 5645 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CMBSE32N\favorites[1].png 421 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AO3MT190\r[1].gif 42 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AO3MT190\pixel[1].gif 43 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AO3MT190\000[1].jpg 5060 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\sep2[1].png 934 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\jquery.min[2].js 93435 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\1[1].js 3428 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\VoJzaLlQJmcAAAr7gqYAAABS%26644[1].gif 35 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\xd_arbiter[3].htm 33319 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1SFAUYR\12973530854936150058[1].jpg 49223 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\uid_5b70b00c09e49e3466cfd70f51598b5b1451325376689_width_960_height_540_play_0_pos_0_gs_0[1].jpg 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\uid_9e17c5ee78211433e4715ba8f39f2c901451324844856_width_960_height_540_play_0_pos_0_gs_0[1].jpg 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\icon_arrow_small_right[1].gif 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\content_px[1].png 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\adx[2] 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\adx[3] 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[1].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[2].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[3].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[4].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[5].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[6].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[7].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\ad[8].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\20[1].png 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\145103212011339774272[1].jpg 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\145138042511359974363[1].jpg 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\05_02[1].jpg 15671 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\0[2].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\fm[2].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\push[2].htm 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\empty[1].gif 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\j2u2i1aexy0atlamh4qeregt0yq[1].css 39521 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\cse[1].htm 18 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\$(KGrHqV,!oEFHgy17YO6BR9nEIF)jw~~60_59[1].jpg 72575 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\$_59[1].jpg 273807 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\$_59[2].jpg 53919 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CQNJI790\$_59[3].jpg 178527 bytes File C:\Users\sandoz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\33KTNOLG\demoty_cid[1].xml 28 bytes File C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6002.18882_none_b58ca71542799766\rpcrt4.dll (size mismatch) 784896/783360 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-themeui_31bf3856ad364e35_6.0.6002.18888_none_8696a02d18e1094c\themeui.dll (size mismatch) 615424/615936 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6002.18881_none_5a67e5f5f993dac6\ntdll.dll (size mismatch) 1205064/1205168 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-t..nalservices-drivers_31bf3856ad364e35_6.0.6002.18868_none_52fdc1d7f3c9f23d\tssecsrv.sys (size mismatch) 23552/24064 bytes executable ---- EOF - GMER 2.1 ----