GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-24 16:00:47 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-19 WDC_WD5000AAKS-00D2B0 rev.12.01C02 Running: vri0q7o3.exe; Driver: C:\DOCUME~1\BigBlue\USTAWI~1\Temp\pgqyrpog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB715079A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB714FD46] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB7150400] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xB9EBAC00] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB7152ABC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB7152E3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB714F732] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xB9EBAE60] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xB9EBAF20] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB714F538] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB71516C6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB715191C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB71524EE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB715000E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB71505DC] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xB9EBAAA0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB714F166] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB71502A8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB714F36A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xB7151B2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xB7151F7E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xB7151D3C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB71514DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB7150DB6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB71527DA] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xB9EBB120] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB714FF78] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB7150194] SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xB9EBD2D0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB714F936] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [54, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6C, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70DD000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7110000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7158000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7104000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A90001 .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7193000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7199000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 7107000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B6000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F2000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7095000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7146000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7190000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70BF000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C2000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70B9000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BC000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7140000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AB, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710A000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7113000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D4000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 716A000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 708F000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DA000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7143000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70E6000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70EF000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70EC000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7086000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70A7000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A4000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70D7000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7089000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7092000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7167000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708C000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70E9000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7173000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D1000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 710D000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7128000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7116000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713A000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 712B000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 712E000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70CE000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7119000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7122000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 711C000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 713D000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7125000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7131000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C5000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A1000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 709E000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 70FE000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [00, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70C8000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7134000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 711F000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 7137000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CB000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 719C000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7152000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 714F000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 718A000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 7098000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7164000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70F8000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7161000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F4, 70] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AA000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [5D, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B0000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70AD000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709B000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718D000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 714C000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70FB000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B3000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 715B000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7170000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [48, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 7176000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E3000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E0000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7179000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 717F000A .text C:\Program Files\Java\jre6\bin\jqs.exe[216] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\ctfmon.exe[260] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\ctfmon.exe[260] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[260] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\ctfmon.exe[260] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[260] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe[456] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[804] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [59, 71] .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E2000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7115000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715D000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7109000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710C000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B5000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F7000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7094000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714B000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70BE000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C1000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70B8000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BB000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7145000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710F000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7118000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D3000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 708E000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70D9000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7148000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EB000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F4000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F1000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7085000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70A6000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A3000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70D6000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7088000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7091000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708B000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70EE000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D0000A .text C:\WINDOWS\Explorer.EXE[872] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7112000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712D000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711B000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713F000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7130000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7133000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70CD000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711E000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7127000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7121000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7142000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712A000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7136000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C4000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A0000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 709D000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7103000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [05, 71] .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70C7000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7139000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7124000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713C000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CA000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7157000A .text C:\WINDOWS\Explorer.EXE[872] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7154000A .text C:\WINDOWS\Explorer.EXE[872] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 7097000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7169000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FD000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7166000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F9, 70] .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70A9000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [62, 71] .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70AF000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70AC000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709A000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7151000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7100000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B2000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7160000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[872] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4D, 71] .text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenUrlA 3FD1F3AC 6 Bytes JMP 70DF000A .text C:\WINDOWS\Explorer.EXE[872] WININET.dll!InternetOpenUrlW 3FD66D6F 6 Bytes JMP 70DC000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E8000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E5000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[872] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\csrss.exe[892] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001450 C:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\csrss.exe[892] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 100017F0 C:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A90001 .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 7166000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 7151000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 71AE000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\winlogon.exe[920] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70FD000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 715D000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [5F, 71] .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\winlogon.exe[920] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [53, 71] .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 7109000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\winlogon.exe[920] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\winlogon.exe[920] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\winlogon.exe[920] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\services.exe[964] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\services.exe[964] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\services.exe[964] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F040 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\services.exe[964] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\services.exe[964] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\services.exe[964] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[964] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\services.exe[964] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[964] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5A, 71] .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E3000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7116000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715E000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710A000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A90001 .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710D000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BC000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F8000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709B000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714C000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C5000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C8000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BF000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C2000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7146000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AB, 71] .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7110000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7119000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DA000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7170000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7095000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E0000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7149000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EC000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F5000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F2000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708C000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AD000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AA000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DD000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708F000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7098000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716D000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7092000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70EF000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D7000A .text C:\WINDOWS\system32\lsass.exe[976] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7113000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712E000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711C000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7140000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7131000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7134000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D4000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711F000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7128000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7122000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7143000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712B000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7137000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CB000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A7000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A4000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7104000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [06, 71] .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CE000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713A000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7125000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713D000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D1000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7158000A .text C:\WINDOWS\system32\lsass.exe[976] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7155000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709E000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716A000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FE000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7167000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FA, 70] .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B0000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [63, 71] .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B6000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B3000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A1000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7152000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7101000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B9000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7161000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[976] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4E, 71] .text C:\WINDOWS\system32\lsass.exe[976] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E9000A .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E6000A .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\lsass.exe[976] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7182000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1156] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\svchost.exe[1168] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F040 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\svchost.exe[1168] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1168] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\svchost.exe[1216] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F040 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\svchost.exe[1216] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1216] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1216] rpcss.dll!WhichService 76A64234 8 Bytes JMP ED301001 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1248] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00526240 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0053F8A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5B, 71] .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [73, 71] {JAE 0x73} .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E4000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7117000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715F000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710B000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719A000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A0000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719D000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710E000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BD000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F9000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709C000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714D000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C6000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C9000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C0000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C3000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7147000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7111000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711A000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DB000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7171000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7096000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E1000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714A000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70ED000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F6000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F3000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708D000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AE000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AB000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DE000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7090000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7099000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716E000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7093000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F0000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717A000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D8000A .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7114000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712F000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711D000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7141000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7132000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7135000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D5000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7120000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7129000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7123000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7144000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712C000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7138000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CC000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A8000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A5000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7105000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [07, 71] .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CF000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713B000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7126000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713E000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D2000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A3000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7159000A .text C:\WINDOWS\System32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7156000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709F000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716B000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FF000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7168000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FB, 70] .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B1000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [64, 71] .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B7000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B4000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A2000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7153000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7102000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BA000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7162000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7177000A .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4F, 71] .text C:\WINDOWS\System32\svchost.exe[1272] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717D000A .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EA000A .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E7000A .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7180000A .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7186000A .text C:\WINDOWS\System32\svchost.exe[1272] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7183000A .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [51, 71] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [69, 71] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 710D000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7155000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7101000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A90001 .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 7104000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70EF000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 708B000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7143000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 713D000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AB, 71] .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7107000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7110000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7167000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7085000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7140000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70E3000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70EC000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70E9000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 707C000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 707F000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7088000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7164000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7082000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70E6000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 710A000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7125000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7113000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7137000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7128000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 712B000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7116000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 711F000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7119000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 713A000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7122000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 712E000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 70FB000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [FD, 70] .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7131000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 711C000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 7134000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 714F000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 714C000A .text C:\WINDOWS\system32\svchost.exe[1296] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F040 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7161000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70F5000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 715E000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F1, 70] .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [5A, 71] .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7149000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70F8000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7158000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7170000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [45, 71] .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\svchost.exe[1296] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlA 3FD1F3AC 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetOpenUrlW 3FD66D6F 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1420] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\nvsvc32.exe[1420] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5B, 71] .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [73, 71] {JAE 0x73} .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E4000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7117000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715F000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710B000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719A000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A0000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719D000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710E000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BD000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F9000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709C000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714D000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C6000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C9000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C0000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C3000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7147000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7111000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711A000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DB000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7171000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7096000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E1000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714A000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70ED000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F6000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F3000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708D000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AE000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AB000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DE000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7090000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7099000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716E000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7093000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F0000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717A000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D8000A .text C:\WINDOWS\System32\svchost.exe[1436] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7114000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712F000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711D000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7141000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7132000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7135000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D5000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7120000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7129000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7123000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7144000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712C000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7138000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CC000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A8000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A5000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7105000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [07, 71] .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CF000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713B000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7126000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713E000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D2000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A3000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7159000A .text C:\WINDOWS\System32\svchost.exe[1436] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7156000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709F000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716B000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FF000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7168000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FB, 70] .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B1000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [64, 71] .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B7000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B4000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A2000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7153000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7102000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BA000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7162000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7177000A .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1436] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4F, 71] .text C:\WINDOWS\System32\svchost.exe[1436] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717D000A .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EA000A .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E7000A .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7180000A .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7186000A .text C:\WINDOWS\System32\svchost.exe[1436] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7183000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5A, 71] .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E3000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7116000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715E000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710A000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A90001 .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7199000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 719F000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719C000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710D000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BC000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F8000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709B000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714C000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7196000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C5000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C8000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BF000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C2000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7146000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AB, 71] .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7110000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7119000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DA000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7170000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7095000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E0000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7149000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EC000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F5000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F2000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708C000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AD000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AA000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DD000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708F000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7098000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716D000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7092000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70EF000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7179000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D7000A .text C:\WINDOWS\RTHDCPL.EXE[1496] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7113000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712E000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711C000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7140000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7131000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7134000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D4000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711F000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7128000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7122000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7143000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712B000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7137000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CB000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A7000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A4000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7104000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [06, 71] .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CE000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713A000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7125000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713D000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D1000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A2000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7158000A .text C:\WINDOWS\RTHDCPL.EXE[1496] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7155000A .text C:\WINDOWS\RTHDCPL.EXE[1496] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7190000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709E000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716A000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FE000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7167000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FA, 70] .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B0000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [63, 71] .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B6000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B3000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A1000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7193000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7152000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7101000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B9000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7161000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7176000A .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1496] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4E, 71] .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717C000A .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E9000A .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E6000A .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717F000A .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7185000A .text C:\WINDOWS\RTHDCPL.EXE[1496] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [57, 71] .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6F, 71] .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E0000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7113000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715B000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7107000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710A000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B9000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F5000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7098000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7149000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C2000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C5000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BC000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BF000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7143000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710D000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7116000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D7000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 716D000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7092000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DD000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7146000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70E9000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F2000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70EF000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7089000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AA000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A7000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DA000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708C000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7095000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716A000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708F000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70EC000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D4000A .text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7110000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712B000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7119000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713D000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 712E000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7131000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D1000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711C000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7125000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 711F000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7140000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7128000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7134000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C8000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A4000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A1000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7101000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [03, 71] .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CB000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7137000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7122000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713A000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CE000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7155000A .text C:\WINDOWS\system32\svchost.exe[1556] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7152000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709B000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7167000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FB000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7164000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F7, 70] .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AD000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [60, 71] .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B3000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B0000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709E000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 714F000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70FE000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B6000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 715E000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4B, 71] .text C:\WINDOWS\system32\svchost.exe[1556] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E6000A .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E3000A .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\svchost.exe[1556] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1576] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7088000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708B000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\svchost.exe[1600] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1600] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\svchost.exe[1600] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1600] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlA 3FD1F3AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlW 3FD66D6F 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\RUNDLL32.EXE[1612] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 0095D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [05, 84] .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 0096BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 0096B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00967DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0095D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00964F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00965AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 00963A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 00964370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00968BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00968970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00969CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFTray.exe[1620] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00969BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B8000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7097000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C1000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C4000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BB000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BE000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D6000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7091000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DC000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7088000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70A9000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A6000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70D9000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7094000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D3000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AC000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B2000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70AF000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709D000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B5000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D0000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C7000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A3000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A0000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CA000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CD000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] WININET.dll!InternetOpenUrlA 3FD1F3AC 6 Bytes JMP 70E2000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1632] WININET.dll!InternetOpenUrlW 3FD66D6F 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1696] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [58, 71] .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [70, 71] {JO 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E1000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7114000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715C000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7108000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 719D000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710B000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BA000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F6000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7099000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714A000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C3000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C6000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BD000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C0000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7144000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710E000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7117000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D8000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 716E000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7093000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DE000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7147000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EA000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F3000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F0000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708A000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AB000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A8000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DB000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708D000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7096000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716B000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7090000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CopyFileExA 7C85F39C 4 Bytes JMP EC001E25 .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CopyFileExA + 5 7C85F3A1 1 Byte [70] .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7177000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D5000A .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7111000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712C000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711A000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713E000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 712F000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7132000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D2000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711D000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7126000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7120000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7141000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7129000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7135000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C9000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A5000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A2000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7102000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [04, 71] {ADD AL, 0x71} .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CC000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7138000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7123000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713B000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CF000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7156000A .text C:\WINDOWS\system32\spoolsv.exe[1780] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7153000A .text C:\WINDOWS\system32\spoolsv.exe[1780] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709C000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7168000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FC000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7165000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F8, 70] .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AE000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [61, 71] .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B4000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B1000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709F000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7150000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70FF000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B7000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 715F000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7174000A .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1780] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4C, 71] .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717A000A .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E7000A .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E4000A .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717D000A .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7183000A .text C:\WINDOWS\system32\spoolsv.exe[1780] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7180000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Documents and Settings\BigBlue\Pulpit\vri0q7o3.exe[1836] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\VMware\VMware Workstation\vmware-tray.exe[1932] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 0090D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtClose + 4 7C90CFF2 1 Byte [84] .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes JMP 0091BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 1 Byte [84] .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes JMP 0091B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 1 Byte [84] .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes JMP 00917DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!LdrLoadDll + 4 7C916331 1 Byte [84] .text C:\Program Files\ThreatFire\TFService.exe[2068] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0090D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00914F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00915AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] kernel32.dll!CreateRemoteThread + 174 7C810640 4 Bytes JMP 71AF0000 .text C:\Program Files\ThreatFire\TFService.exe[2068] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00918BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00918970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00919CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00919BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 00913A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\ThreatFire\TFService.exe[2068] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 00914370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2096] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [57, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6F, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E0000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7113000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715B000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7107000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710A000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B9000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F5000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7098000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7149000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C2000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70C5000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70BC000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70BF000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7143000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710D000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7116000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D7000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 716D000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7092000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70DD000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7146000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70E9000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F2000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70EF000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7089000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AA000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70A7000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DA000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 708C000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7095000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716A000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 708F000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70EC000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D4000A .text C:\WINDOWS\system32\vmnat.exe[2144] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7110000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 709B000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7167000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70FB000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7164000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F7, 70] .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70AD000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [60, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B3000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B0000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 709E000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 714F000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70FE000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70B6000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 715E000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4B, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712B000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7119000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713D000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 712E000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7131000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D1000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711C000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7125000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 711F000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7140000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7128000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7134000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C8000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A4000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A1000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7101000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [03, 71] .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70CB000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7137000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7122000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713A000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70CE000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7155000A .text C:\WINDOWS\system32\vmnat.exe[2144] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7152000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70E6000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E3000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\vmnat.exe[2144] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\vmnetdhcp.exe[2192] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 007FD060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [EF, 83] .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 0080BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 0080B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00807DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 007FD180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00804F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00805AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 00803A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 00804370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00808BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00808970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00809CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\VMware\VMware Workstation\vmware-authd.exe[2360] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00809BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3760] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 1002AD40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 1002AD00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 1002ADC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 1002ADA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 1002AD60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 1002A3D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 1002AD20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 1002ACE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 1002A380 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 1002ACA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 1002ACC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 1002AD80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 1002A690 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 1002A420 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ntdll.dll!LdrGetProcedureAddress 7C917CF0 5 Bytes JMP 1002AC80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70D9000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 1002ABC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 715D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 1002A960 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 1002AC00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 1002AC20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 1002A9C0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 7108000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70B2000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70F2000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 708F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 1002AC60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 1002A9A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 1002AA00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 1002A9E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70BB000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70BE000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70B5000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70B8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7143000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 710B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 1002ABA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70D0000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 716F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 1002AA60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 1002AAE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70D6000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 1002ABE0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7146000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 1002AB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 1002AB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 1002AB60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 707C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 1002AA40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 1002AA20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70D3000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 1002AAA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 1002AB00 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 1002AA80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 1002AAC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 1002AB40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 1002A980 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 1002AC40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70CD000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 710E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 7092000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 7169000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 70F8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7166000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [F4, 70] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70A6000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [62, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70AC000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70A9000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 7095000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7150000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 70FB000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70AF000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7160000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7175000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [4C, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 712B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 7119000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 713D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 712E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7131000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70CA000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 711C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 7125000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 711F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7140000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 7128000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7134000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70C1000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 709B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 7098000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 70FE000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [00, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70C4000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 7137000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7122000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70C7000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7156000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7153000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70DF000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70DC000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 717F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7185000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4024] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [5C, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB20 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B800 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D180 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70E5000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7118000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7160000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 710C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 719B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 71A1000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 719E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 710F000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70BE000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70FA000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 709D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 714E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 7198000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70C7000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70CA000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70C1000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70C4000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7148000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [AD, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 7112000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 711B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70DC000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7097000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70E2000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 714B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70EE000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70F7000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70F4000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 708E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70AF000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70AC000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70DF000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7091000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 709A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 716F000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7094000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70F1000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70D9000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7115000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 6 Bytes JMP 7130000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegQueryValueExW 77DC6FFF 6 Bytes JMP 711E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegCreateKeyExW 77DC776C 6 Bytes JMP 7142000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegOpenKeyExA 77DC7852 6 Bytes JMP 7133000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegOpenKeyW 77DC7946 6 Bytes JMP 7136000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!OpenProcessToken 77DC798B 6 Bytes JMP 70D6000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 6 Bytes JMP 7121000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegSetValueExW 77DCD767 6 Bytes JMP 712A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegQueryValueW 77DCD87A 6 Bytes JMP 7124000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 6 Bytes JMP 7145000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegSetValueExA 77DCEAE7 6 Bytes JMP 712D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 6 Bytes JMP 7139000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!AdjustTokenPrivileges 77DCF00C 6 Bytes JMP 70CD000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegDeleteKeyA 77DD42A0 6 Bytes JMP 70A9000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegDeleteKeyW 77DD559B 6 Bytes JMP 70A6000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!OpenSCManagerW 77DD6F55 6 Bytes JMP 7106000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023A40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!OpenSCManagerA 77DE69AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!OpenSCManagerA + 4 77DE69B2 2 Bytes [08, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!LookupPrivilegeValueW 77DEB8DF 6 Bytes JMP 70D0000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegCreateKeyW 77DEBA55 6 Bytes JMP 713C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegQueryValueA 77DEBB8D 6 Bytes JMP 7127000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 6 Bytes JMP 713F000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!LookupPrivilegeValueA 77DEC238 6 Bytes JMP 70D3000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10024370 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 71A7000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 715A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7157000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!SetWindowTextW 7E37960E 6 Bytes JMP 70A0000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetWindowTextW 7E37A5CD 6 Bytes JMP 7100000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [FC, 70] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!CreateWindowExW 7E37D0A3 6 Bytes JMP 70B2000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [65, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!DrawTextW 7E37D7E2 6 Bytes JMP 70B8000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!CreateWindowExA 7E37E4A9 6 Bytes JMP 70B5000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!SetWindowTextA 7E37F56B 6 Bytes JMP 70A3000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7154000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 7103000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!DrawTextA 7E38C702 6 Bytes JMP 70BB000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 7163000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [50, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BA0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!ShellExecuteExW 7CA098CB 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!Shell_NotifyIcon 7CA28BC6 6 Bytes JMP 70EB000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!Shell_NotifyIconW 7CA2A537 6 Bytes JMP 70E8000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!ShellExecuteEx 7CA40E45 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!ShellExecuteA 7CA41170 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4092] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7184000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B9DFB7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B9DFB7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B9DFB750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9DFB820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\Explorer.EXE[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02AA2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02AA2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02AA2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02AA2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000076 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000077 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000078 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000079 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\0000007a hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) ---- Files - GMER 1.0.15 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\14DD6F8C-4760-4488-9A76-CAB294BE95A0.data 25600 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\14DD6F8C-4760-4488-9A76-CAB294BE95A0.data.info 204 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\555616CC-F4A1-475E-BE6A-2B36F6191A8A.data 180224 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\555616CC-F4A1-475E-BE6A-2B36F6191A8A.data.info 218 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes ---- EOF - GMER 1.0.15 ----