GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-07 13:17:13 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_HTS541616J9SA00 rev.SB4IC7UP 149,05GB Running: 3luk3okm.exe; Driver: C:\DOCUME~1\Tata\USTAWI~1\Temp\kxtdapog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA97D04D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xA97D185A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xA97CF786] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA97D0104] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xA97D0E9E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xA97CFE96] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA97D285E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xA97CF130] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xA97D06CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xA97D0928] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xA97CEF1A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xA97D1970] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xA97D1B84] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xA97D2264] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA97CFA6A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xA97D2B30] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xA97D172E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA97D02FC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xA97D0D8C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xA97CEB20] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xA97CFD1E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xA97CED38] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xA97D1CF6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA97D1FAA] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xF77CE1D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xA97D1484] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA97D0BB0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xA97D2564] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xA97D11C0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xA97CF9D4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xA97CFC0A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xA97CF566] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xA97CF334] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[208] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[208] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[208] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[208] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[208] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[208] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[224] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[224] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[224] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[224] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[224] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[224] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[224] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[224] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[224] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[224] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE[236] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [70, 71] {JO 0x73} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 37, 01] {ROL BYTE [ESI+0x37], 0x1} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 37, 01] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [91, 71] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7180000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[284] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[340] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Java\jre7\bin\jqs.exe[568] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[568] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Java\jre7\bin\jqs.exe[568] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[640] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\CDBurnerXP\NMSAccessU.exe[708] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[724] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wscntfy.exe[724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wscntfy.exe[724] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wscntfy.exe[724] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wscntfy.exe[724] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wscntfy.exe[724] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wscntfy.exe[724] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wscntfy.exe[724] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wscntfy.exe[724] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wscntfy.exe[724] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wscntfy.exe[724] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wscntfy.exe[724] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wscntfy.exe[724] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wscntfy.exe[724] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[724] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\csrss.exe[756] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100015D0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[756] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001A50 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[828] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[828] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[828] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[828] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[828] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[828] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[828] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[828] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[840] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[840] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[840] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[840] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[840] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[840] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[840] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\PrintCtrl.exe[976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\PrintCtrl.exe[976] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintCtrl.exe[976] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ibmpmsvc.exe[992] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\ibmpmsvc.exe[992] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ibmpmsvc.exe[992] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1036] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1036] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1036] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1036] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1036] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1060] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1100] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1100] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1100] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1100] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1100] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1100] rpcss.dll!WhichService 76A64234 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401EF0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004452C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1184] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1308] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1308] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1308] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1308] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1368] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 03, 01] {ROL BYTE [ESI+0x3], 0x1} .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 03, 01] {PUSH EAX; INC EDI; ADD EAX, [ECX]} .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1544] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1612] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1612] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1612] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1612] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1644] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1644] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1644] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1644] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1644] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1880] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1880] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1880] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1880] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1880] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1880] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1880] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1880] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\System32\SCardSvr.exe[1928] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\SCardSvr.exe[1928] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\SCardSvr.exe[1928] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1976] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1976] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1976] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1976] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1976] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[2008] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[2020] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\IPSSVC.EXE[2036] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 91, 00] {ROL BYTE [ESI-0x6f], 0x0} .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 91, 00] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\IPSSVC.EXE[2036] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\vsnpstd.exe[2092] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\vsnpstd.exe[2092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\vsnpstd.exe[2092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\vsnpstd.exe[2092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\vsnpstd.exe[2092] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\vsnpstd.exe[2092] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\vsnpstd.exe[2092] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\vsnpstd.exe[2092] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\vsnpstd.exe[2092] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\vsnpstd.exe[2092] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\vsnpstd.exe[2092] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\vsnpstd.exe[2092] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\vsnpstd.exe[2092] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\vsnpstd.exe[2092] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\vsnpstd.exe[2092] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[2112] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG Secure Search\vprot.exe[2124] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG Secure Search\vprot.exe[2124] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2244] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[2244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[2244] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[2244] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2244] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[2244] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[2244] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[2244] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[2244] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[2244] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[2244] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[2244] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2248] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2260] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2292] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[2292] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[2292] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[2292] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[2292] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[2292] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[2292] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[2292] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2332] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\PrintDisp.exe[2384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\PrintDisp.exe[2384] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PrintDisp.exe[2384] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\PrintDisp.exe[2384] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\PrintDisp.exe[2384] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Apoint2K\Apntex.exe[2444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Apoint2K\Apntex.exe[2444] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Apoint2K\Apntex.exe[2444] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apntex.exe[2444] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[2592] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\System Update\SUService.exe[2624] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6F, 71] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6C, 71] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2684] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2684] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[2684] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[2684] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7176000A .text C:\WINDOWS\System32\alg.exe[2684] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7179000A .text C:\WINDOWS\System32\alg.exe[2684] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7173000A .text C:\WINDOWS\System32\alg.exe[2684] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2684] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2684] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[2684] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2684] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [8D, 71] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[2740] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\rundll32.exe[2740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\rundll32.exe[2740] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\rundll32.exe[2740] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\rundll32.exe[2740] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\rundll32.exe[2740] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\rundll32.exe[2740] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\rundll32.exe[2740] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\rundll32.exe[2740] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\rundll32.exe[2740] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\rundll32.exe[2740] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\rundll32.exe[2740] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\rundll32.exe[2740] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\rundll32.exe[2740] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[2740] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe[2828] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2864] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[2868] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2892] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpKmpSVC.exe[2920] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe[2940] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text F:\3luk3okm.exe[3048] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text F:\3luk3okm.exe[3048] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text F:\3luk3okm.exe[3048] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text F:\3luk3okm.exe[3048] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text F:\3luk3okm.exe[3048] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text F:\3luk3okm.exe[3048] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text F:\3luk3okm.exe[3048] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text F:\3luk3okm.exe[3048] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text F:\3luk3okm.exe[3048] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text F:\3luk3okm.exe[3048] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text F:\3luk3okm.exe[3048] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text F:\3luk3okm.exe[3048] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text F:\3luk3okm.exe[3048] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text F:\3luk3okm.exe[3048] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text F:\3luk3okm.exe[3048] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text F:\3luk3okm.exe[3048] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text F:\3luk3okm.exe[3048] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text F:\3luk3okm.exe[3048] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text F:\3luk3okm.exe[3048] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text F:\3luk3okm.exe[3048] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text F:\3luk3okm.exe[3048] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text F:\3luk3okm.exe[3048] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text F:\3luk3okm.exe[3048] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text F:\3luk3okm.exe[3048] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3100] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, D9, 00] {ROL BYTE [ESI-0x27], 0x0} .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, D9, 00] {PUSH EAX; INC EDI; FLD DWORD [EAX]} .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe[3128] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3168] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401200 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3168] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe[3172] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe[3272] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\loggingserver.exe[3396] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpShocks.exe[3480] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\TpShocks.exe[3480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\TpShocks.exe[3480] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\TpShocks.exe[3480] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\TpShocks.exe[3480] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\TpShocks.exe[3480] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\TpShocks.exe[3480] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\TpShocks.exe[3480] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\TpShocks.exe[3480] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\TpShocks.exe[3480] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\TpShocks.exe[3480] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\TpShocks.exe[3480] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\TpShocks.exe[3480] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\TpShocks.exe[3480] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\TpShocks.exe[3480] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3576] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[3576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[3576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[3576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[3576] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[3576] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[3576] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[3576] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\ctfmon.exe[3576] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[3576] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[3576] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ctfmon.exe[3576] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[3576] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[3576] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[3576] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3664] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxtray.exe[3664] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\igfxtray.exe[3664] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\igfxtray.exe[3664] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\igfxtray.exe[3664] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\igfxtray.exe[3664] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\igfxtray.exe[3664] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxtray.exe[3664] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\igfxtray.exe[3664] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\igfxtray.exe[3664] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\igfxtray.exe[3664] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\igfxtray.exe[3664] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\igfxtray.exe[3664] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\igfxtray.exe[3664] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxtray.exe[3664] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3680] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\hkcmd.exe[3680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\hkcmd.exe[3680] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\hkcmd.exe[3680] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\hkcmd.exe[3680] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\hkcmd.exe[3680] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\hkcmd.exe[3680] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\hkcmd.exe[3680] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\hkcmd.exe[3680] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\hkcmd.exe[3680] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\hkcmd.exe[3680] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\hkcmd.exe[3680] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\hkcmd.exe[3680] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\hkcmd.exe[3680] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\hkcmd.exe[3680] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3688] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxpers.exe[3688] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\igfxpers.exe[3688] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\igfxpers.exe[3688] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\igfxpers.exe[3688] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\igfxpers.exe[3688] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\igfxpers.exe[3688] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxpers.exe[3688] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\igfxpers.exe[3688] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\igfxpers.exe[3688] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\igfxpers.exe[3688] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\igfxpers.exe[3688] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\igfxpers.exe[3688] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\igfxpers.exe[3688] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxpers.exe[3688] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Apoint2K\Apoint.exe[3712] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Apoint2K\Apoint.exe[3712] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Apoint2K\Apoint.exe[3712] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\Apoint.exe[3712] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe[3720] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[3732] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\rundll32.exe[3732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\rundll32.exe[3732] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\rundll32.exe[3732] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\rundll32.exe[3732] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\rundll32.exe[3732] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\rundll32.exe[3732] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\rundll32.exe[3732] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\rundll32.exe[3732] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\rundll32.exe[3732] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\rundll32.exe[3732] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[3732] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3740] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe[3760] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[3768] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\igfxsrvc.exe[3776] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxsrvc.exe[3776] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe[3816] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [73, 71] {JAE 0x73} .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [70, 71] {JO 0x73} .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7180000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195000A .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe[3848] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [91, 71] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\Eraser\Eraser.exe[3872] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\Eraser\Eraser.exe[3872] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[3904] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Apoint2K\ApMsgFwd.exe[3920] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxext.exe[3984] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\igfxext.exe[3984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\igfxext.exe[3984] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\igfxext.exe[3984] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\igfxext.exe[3984] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\igfxext.exe[3984] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\igfxext.exe[3984] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\igfxext.exe[3984] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\igfxext.exe[3984] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\igfxext.exe[3984] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\igfxext.exe[3984] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\igfxext.exe[3984] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\igfxext.exe[3984] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\igfxext.exe[3984] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\igfxext.exe[3984] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[4004] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe[4020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4044] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] ---- Devices - GMER 2.1 ---- Device Ntfs.sys Device Fastfat.SYS AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys Device mrxsmb.sys AttachedDevice fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\003091404102 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\003091404102@001842e83baf 0xF6 0xFF 0x30 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\003091404102 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\003091404102@001842e83baf 0xF6 0xFF 0x30 0x65 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 61 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 28 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----