GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-30 18:33:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST1000DM003-1ER162 rev.CC45 931,51GB Running: dvjt3xvg.exe; Driver: C:\Users\Patrycja\AppData\Local\Temp\fwlyyfob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000c81000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000c80000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000c82000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000c85000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000c86000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000c87000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773cf864 5 bytes JMP 0000000000c84000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773e8c20 5 bytes JMP 0000000000c83000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000111000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000110000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000112000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000113000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000114000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000115000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\lsm.exe[592] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000381000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000380000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000382000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000385000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000386000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000387000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000531000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000530000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000532000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000535000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000536000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000537000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000001a5000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000001a6000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000001a7000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 00000000002d1000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 00000000002d0000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 00000000002d2000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000002d5000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000002d6000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000002d7000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000d81000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000d80000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000d82000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000d85000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000d86000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000d87000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000151000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000150000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000152000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000155000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000156000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000157000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000d41000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000d40000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000d42000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000d45000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000d46000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000d47000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[300] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000195000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000196000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000197000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000000e5000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000000e6000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000000e7000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Tablet\Pen\WTabletServiceCon.exe[1104] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000291000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000290000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000292000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000295000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000296000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000297000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000bc1000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000bc0000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000bc2000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000bc5000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000bc6000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000bc7000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000471000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000470000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000472000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000475000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000476000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000477000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\WLANExt.exe[1444] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000391000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000390000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000392000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000395000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000396000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000397000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000c11000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000c10000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000c12000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000c15000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000c16000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000c17000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\System32\svchost.exe[1772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pakiet Bezpieczeñstwa UPC\apps\CCF_Reputation\fsorsp.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 00000000002d1000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 00000000002d0000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 00000000002d2000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000752bec57 5 bytes JMP 00000000002db000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752c3b7a 5 bytes JMP 00000000002dd000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075318ab1 2 bytes JMP 00000000002de000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW + 3 0000000075318ab4 2 bytes [FC, 8A] .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000770acf55 5 bytes JMP 00000000003e1000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000770ae10b 5 bytes JMP 00000000003e0000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770aedb9 5 bytes JMP 00000000003e2000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000770b101e 5 bytes JMP 00000000002da000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770b1493 5 bytes JMP 00000000002dc000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000770b3afb 5 bytes JMP 00000000002d8000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000770b3fe0 5 bytes JMP 00000000003e3000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000770b93b0 5 bytes JMP 00000000002df000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075174d5c 5 bytes JMP 00000000002d9000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075174dc3 5 bytes JMP 00000000002d7000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007517714b 5 bytes JMP 00000000002d5000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075177245 5 bytes JMP 00000000002d6000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757d7613 5 bytes JMP 00000000002d4000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757d836c 5 bytes JMP 00000000002d3000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000003911000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000003910000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000003912000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000003915000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000003916000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000003917000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\Dwm.exe[2424] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000002231000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000002230000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000002232000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000002235000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000002236000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000002237000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 00000000056b1000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 00000000056b0000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 00000000056b2000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000056b5000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000056b6000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000056b7000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000773cf864 5 bytes JMP 00000000056b4000 .text C:\Windows\Explorer.EXE[2580] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000773e8c20 5 bytes JMP 00000000056b3000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000205000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000206000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000207000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe[2868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000000651000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000000650000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000000652000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000752bec57 5 bytes JMP 000000000065b000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752c3b7a 5 bytes JMP 000000000065d000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075318ab1 2 bytes JMP 000000000065e000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW + 3 0000000075318ab4 2 bytes [34, 8B] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000770acf55 5 bytes JMP 0000000000661000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000770ae10b 5 bytes JMP 0000000000660000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770aedb9 5 bytes JMP 0000000000662000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000770b101e 5 bytes JMP 000000000065a000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770b1493 5 bytes JMP 000000000065c000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000770b3afb 5 bytes JMP 0000000000658000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000770b3fe0 5 bytes JMP 0000000000663000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000770b93b0 5 bytes JMP 000000000065f000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075174d5c 5 bytes JMP 0000000000659000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075174dc3 5 bytes JMP 0000000000657000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007517714b 5 bytes JMP 0000000000655000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075177245 5 bytes JMP 0000000000656000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000757d7613 5 bytes JMP 0000000000654000 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2920] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000757d836c 5 bytes JMP 0000000000653000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000451000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000450000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000452000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000455000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000456000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000457000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[3028] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000151000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000150000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000152000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000155000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000156000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000157000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000121000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000120000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000122000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000125000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000126000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000127000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Tablet\Pen\Pen_TabletUser.exe[2640] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000000451000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000000450000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000000452000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000752bec57 5 bytes JMP 000000000045b000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752c3b7a 5 bytes JMP 000000000045d000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075318ab1 2 bytes JMP 000000000045e000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW + 3 0000000075318ab4 2 bytes [14, 8B] .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000770acf55 5 bytes JMP 0000000000461000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000770ae10b 5 bytes JMP 0000000000460000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770aedb9 5 bytes JMP 0000000000462000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000770b101e 5 bytes JMP 000000000045a000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770b1493 5 bytes JMP 000000000045c000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000770b3afb 5 bytes JMP 0000000000458000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000770b3fe0 5 bytes JMP 0000000000463000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000770b93b0 5 bytes JMP 000000000045f000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757d7613 5 bytes JMP 0000000000454000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757d836c 5 bytes JMP 0000000000453000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075174d5c 5 bytes JMP 0000000000459000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075174dc3 5 bytes JMP 0000000000457000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007517714b 5 bytes JMP 0000000000455000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075177245 5 bytes JMP 0000000000456000 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\WacomHost.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000002af1000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000002af0000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000002af2000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000002af5000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000002af6000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000002af7000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[1832] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000681000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000680000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000682000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000685000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000686000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 0000000000687000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2204] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 00000000005f1000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 00000000005f0000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 00000000005f2000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000005f5000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000005f6000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 4 bytes JMP 00000000005f7000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Tablet\Pen\Pen_TouchUser.exe[2632] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 0000000000075000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 0000000000076000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 0000000000077000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 00000000022b1000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 00000000022b0000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 00000000022b2000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000022b5000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000022b6000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000022b7000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3468] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000003ab1000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000003ab0000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000003ab2000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000752bec57 5 bytes JMP 0000000003abb000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752c3b7a 5 bytes JMP 0000000003abd000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075318ab1 2 bytes JMP 0000000003abe000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW + 3 0000000075318ab4 2 bytes [7A, 8E] .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000770acf55 5 bytes JMP 0000000003ba1000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000770ae10b 5 bytes JMP 0000000003ba0000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770aedb9 5 bytes JMP 0000000003ba2000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000770b101e 5 bytes JMP 0000000003aba000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770b1493 5 bytes JMP 0000000003abc000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000770b3afb 5 bytes JMP 0000000003ab8000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000770b3fe0 5 bytes JMP 0000000003ba3000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000770b93b0 5 bytes JMP 0000000003abf000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075174d5c 5 bytes JMP 0000000003ab9000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075174dc3 5 bytes JMP 0000000003ab7000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007517714b 5 bytes JMP 0000000003ab5000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075177245 5 bytes JMP 0000000003ab6000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757d7613 5 bytes JMP 0000000003ab4000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757d836c 5 bytes JMP 0000000003ab3000 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000000271000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000000270000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000000272000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\kernel32.dll!OpenMutexA 00000000752bec57 5 bytes JMP 000000000027b000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\kernel32.dll!CopyFileExW 00000000752c3b7a 5 bytes JMP 000000000027d000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW 0000000075318ab1 2 bytes JMP 000000000027e000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateDirectoryExW + 3 0000000075318ab4 2 bytes [F6, 8A] .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetFileSizeEx 00000000770acf55 5 bytes JMP 0000000000281000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!GetFileSize 00000000770ae10b 5 bytes JMP 0000000000280000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 00000000770aedb9 5 bytes JMP 0000000000282000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexExW 00000000770b101e 5 bytes JMP 000000000027a000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 00000000770b1493 5 bytes JMP 000000000027c000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!TerminateThread 00000000770b3afb 5 bytes JMP 0000000000278000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 00000000770b3fe0 5 bytes JMP 0000000000283000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\KERNELBASE.dll!CreateDirectoryW 00000000770b93b0 5 bytes JMP 000000000027f000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\sechost.dll!ControlService 0000000075174d5c 5 bytes JMP 0000000000279000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075174dc3 5 bytes JMP 0000000000277000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 000000007517714b 5 bytes JMP 0000000000275000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075177245 5 bytes JMP 0000000000276000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000757d7613 5 bytes JMP 0000000000274000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000757d836c 5 bytes JMP 0000000000273000 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bamboo Dock\BambooCore.exe[2612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\kernel32.dll!OpenMutexA 00000000774c27e0 5 bytes JMP 00000000003a5000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\kernel32.dll!CopyFileExW 00000000774d1890 5 bytes JMP 00000000003a6000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\kernel32.dll!CreateDirectoryExW 0000000077549140 5 bytes JMP 00000000003a7000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!GetFileSize 000007fefd525030 5 bytes JMP 000007fe7e728000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd5284d0 5 bytes JMP 000007fe7e727000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW 000007fefd528b80 2 bytes JMP 000007fe7e725000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!CreateMutexExW + 3 000007fefd528b83 2 bytes [1F, 81] .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefd529a00 5 bytes JMP 000007fe7e72b000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!OpenMutexW 000007fefd531930 5 bytes JMP 000007fe7e726000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!GetFileSizeEx 000007fefd5337a0 5 bytes JMP 000007fe7e729000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!TerminateThread 000007fefd53a870 5 bytes JMP 000007fe7e723000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd554130 5 bytes JMP 000007fe7e72a000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\SYSTEM32\sechost.dll!ControlService 000007fefe71642c 5 bytes JMP 000007fe7e724000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefe716484 5 bytes JMP 000007fe7e720000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefe716518 5 bytes JMP 000007fe7e722000 .text C:\Windows\system32\svchost.exe[3240] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefe716c34 5 bytes JMP 000007fe7e721000 .text C:\Windows\system32\notepad.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000411000 .text C:\Windows\system32\notepad.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000410000 .text C:\Windows\system32\notepad.exe[5016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000412000 .text C:\Program Files\Internet Explorer\iexplore.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007762d880 5 bytes JMP 0000000000411000 .text C:\Program Files\Internet Explorer\iexplore.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007762ddd0 5 bytes JMP 0000000000410000 .text C:\Program Files\Internet Explorer\iexplore.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007762de80 5 bytes JMP 0000000000412000 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000000121000 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000000120000 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000000122000 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000777e008c 5 bytes JMP 0000000000021000 .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000777e08b4 5 bytes JMP 0000000000020000 .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000777e09bc 5 bytes JMP 0000000000022000 .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753b1401 2 bytes JMP 752cb233 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753b1419 2 bytes JMP 752cb35e C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753b1431 2 bytes JMP 75349011 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753b144a 2 bytes CALL 752a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753b14dd 2 bytes JMP 7534890a C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753b14f5 2 bytes JMP 75348ae0 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753b150d 2 bytes JMP 75348800 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753b1525 2 bytes JMP 75348bca C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753b153d 2 bytes JMP 752bfcc0 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753b1555 2 bytes JMP 752c6907 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753b156d 2 bytes JMP 753490c9 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753b1585 2 bytes JMP 75348c2a C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753b159d 2 bytes JMP 753487c4 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753b15b5 2 bytes JMP 752bfd59 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753b15cd 2 bytes JMP 752cb2f4 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753b16b2 2 bytes JMP 75348f8c C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\Pobrane\dvjt3xvg.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753b16bd 2 bytes JMP 75348759 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Program Files\Internet Explorer\iexplore.exe[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\advapi32.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\shell32.DLL[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxIndirectW] [7feee3f0750] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\shell32.DLL[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamA] [7feee4161b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\iertutil.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEFRAME.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxIndirectW] [7feee3f0750] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\ole32.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\ole32.dll[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\ole32.dll[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!DialogBoxIndirectParamW] [7feee4160d0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\comdlg32.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\comdlg32.dll[USER32.dll!DialogBoxIndirectParamW] [7feee4160d0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\comdlg32.dll[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\comdlg32.dll[COMCTL32.dll!PropertySheetW] [7feee416f30] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\comdlg32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\urlmon.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\urlmon.dll[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\WININET.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\Secur32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\CLBCatQ.DLL[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\System32\netprofm.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\System32\nlaapi.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\System32\fwpuclnt.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\IEUI.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\windowscodecs.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\oleacc.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\explorerframe.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\explorerframe.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\DUser.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\DUI70.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\DUI70.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\MLANG.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!DialogBoxParamW] [7feee4162b0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!EnableWindow] [7feee3def00] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MessageBoxW] [7feee416840] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\dxgi.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\WINTRUST.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\System32\ieapfltr.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\MPR.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\credssp.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\schannel.DLL[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\bcrypt.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5140] @ C:\Windows\system32\cryptnet.dll[KERNEL32.dll!GetProcAddress] [7feee3d1c40] C:\Program Files\Internet Explorer\IEShims.dll ---- EOF - GMER 2.2 ----