GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-15 00:18:43 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.11.0 298,09GB Running: gmer.exe; Driver: C:\Users\bolo\AppData\Local\Temp\kgldqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x90C1B4EA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x90C1B6DE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x90C1A79A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x90C1B118] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x90C1AEAA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x90C1C29E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x90C1A144] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x90C1BCA4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x90C1AA7E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x90C1B310] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x90C1AD32] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x90C1BFA4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x90C1A9E8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x90C1AC1E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x90C1A57A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x90C1A348] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x90C1B928] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 119 82CEA764 4 Bytes [EA, B4, C1, 90] .text ntkrnlpa.exe!KeSetEvent + 13D 82CEA788 4 Bytes [DE, B6, C1, 90] .text ntkrnlpa.exe!KeSetEvent + 1C1 82CEA80C 4 Bytes [9A, A7, C1, 90] .text ntkrnlpa.exe!KeSetEvent + 1D9 82CEA824 4 Bytes [18, B1, C1, 90] .text ntkrnlpa.exe!KeSetEvent + 215 82CEA860 4 Bytes [AA, AE, C1, 90] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskmgr.exe[312] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskmgr.exe[312] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskmgr.exe[312] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskmgr.exe[312] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskmgr.exe[312] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\taskmgr.exe[312] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\taskmgr.exe[312] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\taskmgr.exe[312] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskmgr.exe[312] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\taskmgr.exe[312] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\taskmgr.exe[312] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\taskmgr.exe[312] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\taskmgr.exe[312] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\taskmgr.exe[312] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\taskmgr.exe[312] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\taskmgr.exe[312] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\taskmgr.exe[312] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\taskmgr.exe[312] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[316] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[316] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[316] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[316] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[316] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[316] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[316] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\spoolsv.exe[316] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[316] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[316] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[316] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[316] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[316] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[316] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[316] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[316] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[316] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[340] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[340] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[340] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[340] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[340] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[340] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[340] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[340] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[340] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[340] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[340] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[340] RPCRT4.dll!RpcServerRegisterIfEx 75F57A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[340] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[340] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[340] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[340] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[340] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[340] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[340] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7187000A .text C:\Windows\system32\WLANExt.exe[516] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\WLANExt.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WLANExt.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\WLANExt.exe[516] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WLANExt.exe[516] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\WLANExt.exe[516] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\WLANExt.exe[516] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\WLANExt.exe[516] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\WLANExt.exe[516] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\WLANExt.exe[516] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\WLANExt.exe[516] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\WLANExt.exe[516] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\WLANExt.exe[516] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\WLANExt.exe[516] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\WLANExt.exe[516] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\WLANExt.exe[516] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\WLANExt.exe[516] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\WLANExt.exe[516] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\csrss.exe[636] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 5 Bytes JMP 75E11ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[636] ntdll.dll!NtReplyWaitReceivePort 77884F94 5 Bytes JMP 75E115D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[636] ntdll.dll!NtReplyWaitReceivePortEx 77884FA4 5 Bytes JMP 75E11A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\wininit.exe[692] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wininit.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [11, 71] .text C:\Windows\system32\wininit.exe[692] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\wininit.exe[692] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wininit.exe[692] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wininit.exe[692] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wininit.exe[692] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wininit.exe[692] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\wininit.exe[692] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!RegisterRawInputDevices 76266161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!RegisterRawInputDevices + 4 76266165 2 Bytes [32, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7172000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SystemParametersInfoA 762682E1 6 Bytes JMP 711E000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!GetAsyncKeyState 7626863C 6 Bytes JMP 7136000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 716F000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendNotifyMessageW 762693D6 6 Bytes JMP 7148000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!MoveWindow 7626989F 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!MoveWindow + 4 762698A3 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 716C000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetParent 7626A2AA 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetParent + 4 7626A2AE 2 Bytes [2F, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!PostThreadMessageA 7626BD34 6 Bytes JMP 7163000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!GetKeyboardState 7626BD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!GetKeyboardState + 4 7626BD81 2 Bytes [3B, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!RegisterHotKey 7626BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!RegisterHotKey + 4 7626BDA9 2 Bytes [20, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!EnableWindow 7626CD8B 6 Bytes JMP 7118000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!PostMessageA 7626F8F8 6 Bytes JMP 7169000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageA 7626F956 6 Bytes JMP 715D000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageTimeoutW 7627352D 6 Bytes JMP 7154000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageCallbackW 76274570 6 Bytes JMP 714E000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!PostThreadMessageW 76277C8E 6 Bytes JMP 7160000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!GetKeyState 76278CB1 6 Bytes JMP 7139000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!PostMessageW 7627A175 6 Bytes JMP 7166000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageW 76280AED 6 Bytes JMP 715A000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SystemParametersInfoW 762811D8 6 Bytes JMP 711B000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendDlgItemMessageA 7628275B 6 Bytes JMP 7145000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetClipboardViewer 7628BA2D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SetClipboardViewer + 4 7628BA31 2 Bytes [29, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendNotifyMessageA 7628DFCF 6 Bytes JMP 714B000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!BlockInput 7628FF0A 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!BlockInput + 4 7628FF0E 2 Bytes [26, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageTimeoutA 76290006 6 Bytes JMP 7157000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!mouse_event 7629044E 6 Bytes JMP 7175000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendDlgItemMessageW 76290E38 6 Bytes JMP 7142000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendInput 76292F75 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendInput + 4 76292F79 2 Bytes [3E, 71] .text C:\Windows\system32\wininit.exe[692] USER32.dll!GetClipboardData 762A715A 6 Bytes JMP 7124000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!ExitWindowsEx 762AB7C3 6 Bytes JMP 7115000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!keybd_event 762BD972 6 Bytes JMP 7178000A .text C:\Windows\system32\wininit.exe[692] USER32.dll!SendMessageCallbackA 762C2CA7 6 Bytes JMP 7151000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!BitBlt 75EE70A6 6 Bytes JMP 7184000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!StretchBlt 75EE93D6 6 Bytes JMP 717B000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!MaskBlt 75EEC5CB 6 Bytes JMP 7181000A .text C:\Windows\system32\wininit.exe[692] GDI32.dll!PlgBlt 75EFEB50 6 Bytes JMP 717E000A .text C:\Windows\system32\csrss.exe[704] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 5 Bytes JMP 75E11ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[704] ntdll.dll!NtReplyWaitReceivePort 77884F94 5 Bytes JMP 75E115D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[704] ntdll.dll!NtReplyWaitReceivePortEx 77884FA4 5 Bytes JMP 75E11A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[740] services.exe 00731628 4 Bytes [80, 36, 01, 10] .text C:\Windows\system32\services.exe[740] services.exe 00731638 4 Bytes [60, 3A, 01, 10] .text C:\Windows\system32\services.exe[740] services.exe 00731658 4 Bytes [E0, 33, 01, 10] {LOOPNZ 0x35; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[740] services.exe 00731668 4 Bytes [80, 38, 01, 10] .text C:\Windows\system32\services.exe[740] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[740] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[740] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\services.exe[740] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[740] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[740] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[740] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[740] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\services.exe[740] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[740] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[740] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[740] RPCRT4.dll!RpcServerRegisterIfEx 75F57A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[740] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[740] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[740] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[740] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[740] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[740] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[740] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[756] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[756] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[756] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[756] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[756] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[756] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[756] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[756] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[756] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[756] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[756] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[756] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[768] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[768] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[768] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[768] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[768] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[768] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[768] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[768] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsm.exe[768] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[768] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[768] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[768] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[768] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[768] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[768] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[768] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[768] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[768] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[956] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[956] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[956] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[956] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[956] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[956] RPCRT4.dll!RpcServerRegisterIfEx 75F57A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[956] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[956] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[956] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[956] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[956] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[956] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[956] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1000] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1000] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1000] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1000] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1000] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1000] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1000] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1000] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\nvvsvc.exe[1000] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1000] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1000] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1000] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1000] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1000] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1000] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1000] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1000] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1000] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1032] RPCRT4.dll!RpcServerRegisterIfEx 75F57A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1032] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1032] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1032] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1032] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1032] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1032] rpcss.dll!WhichService 750E3F84 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1068] ntdll.dll!NtAllocateVirtualMemory 77883FC4 5 Bytes JMP 01081E70 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1068] ntdll.dll!NtCreateFile 77884264 5 Bytes JMP 010C53F0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1152] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1152] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\ehome\ehtray.exe[1212] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\ehome\ehtray.exe[1212] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[1212] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\ehome\ehtray.exe[1212] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[1212] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\ehome\ehtray.exe[1212] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\ehome\ehtray.exe[1212] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\ehome\ehtray.exe[1212] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\ehome\ehtray.exe[1212] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\ehome\ehtray.exe[1212] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\ehome\ehtray.exe[1212] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\ehome\ehtray.exe[1212] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\ehome\ehtray.exe[1212] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\ehome\ehtray.exe[1212] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\ehome\ehtray.exe[1212] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\ehome\ehtray.exe[1212] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\ehome\ehtray.exe[1212] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\ehome\ehtray.exe[1212] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[1216] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1236] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1236] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1236] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1236] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1236] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1236] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1236] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1260] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1260] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1260] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1260] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1260] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1260] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1260] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1260] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1260] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1260] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1260] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1260] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1260] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1260] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[1272] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wbem\unsecapp.exe[1272] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[1272] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\unsecapp.exe[1272] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\unsecapp.exe[1272] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1316] RPCRT4.dll!RpcServerRegisterIfEx 75F57A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[1328] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[1328] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\AUDIODG.EXE[1396] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[1396] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1396] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[1396] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1396] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[1396] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[1396] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[1396] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\AUDIODG.EXE[1396] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[1396] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[1396] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[1396] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[1396] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[1396] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[1396] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[1396] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[1396] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[1396] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1420] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1420] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1420] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1420] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1420] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1420] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1568] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1584] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1584] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1584] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1584] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1584] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1584] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1584] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1584] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\nvvsvc.exe[1584] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1584] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1584] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1584] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1584] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1584] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1584] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1584] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1584] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1584] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1692] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchFilterHost.exe[1768] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchFilterHost.exe[1768] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchFilterHost.exe[1768] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchFilterHost.exe[1768] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchFilterHost.exe[1768] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\SearchFilterHost.exe[1768] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchFilterHost.exe[1768] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchFilterHost.exe[1768] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchFilterHost.exe[1768] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchFilterHost.exe[1768] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchFilterHost.exe[1768] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchFilterHost.exe[1768] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchFilterHost.exe[1768] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchFilterHost.exe[1768] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchFilterHost.exe[1768] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchFilterHost.exe[1768] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchFilterHost.exe[1768] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchFilterHost.exe[1768] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\RtHDVCpl.exe[1812] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\RtHDVCpl.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\RtHDVCpl.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\RtHDVCpl.exe[1812] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\RtHDVCpl.exe[1812] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\RtHDVCpl.exe[1812] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\RtHDVCpl.exe[1812] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\RtHDVCpl.exe[1812] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\RtHDVCpl.exe[1812] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\RtHDVCpl.exe[1812] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\RtHDVCpl.exe[1812] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\RtHDVCpl.exe[1812] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7181000A .text C:\Windows\RtHDVCpl.exe[1812] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\RtHDVCpl.exe[1812] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\RtHDVCpl.exe[1812] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\RtHDVCpl.exe[1812] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 717E000A .text C:\Windows\RtHDVCpl.exe[1812] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717B000A .text C:\Windows\RtHDVCpl.exe[1812] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 7178000A .text C:\Windows\system32\vfsFPService.exe[1836] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\vfsFPService.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\vfsFPService.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\vfsFPService.exe[1836] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\vfsFPService.exe[1836] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\vfsFPService.exe[1836] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\vfsFPService.exe[1836] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\vfsFPService.exe[1836] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\vfsFPService.exe[1836] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\vfsFPService.exe[1836] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\vfsFPService.exe[1836] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\vfsFPService.exe[1836] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\vfsFPService.exe[1836] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\vfsFPService.exe[1836] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\vfsFPService.exe[1836] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\vfsFPService.exe[1836] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\vfsFPService.exe[1836] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\vfsFPService.exe[1836] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1888] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[1888] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1888] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1888] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1888] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[1888] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[1888] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[1888] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[1888] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\Explorer.EXE[1888] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[1888] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2064] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2064] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2064] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[2064] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2064] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2064] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[2064] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2064] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[2064] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2064] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2064] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2064] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2064] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2064] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2064] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2064] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2064] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2064] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[2192] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2192] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2192] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[2192] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2192] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2192] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[2192] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2192] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[2192] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2192] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2192] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2192] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2192] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2192] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2192] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2192] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2192] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2192] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[2204] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchProtocolHost.exe[2204] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[2204] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\SearchProtocolHost.exe[2204] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchProtocolHost.exe[2204] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2320] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] KERNEL32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] KERNEL32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] KERNEL32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[2328] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[2348] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wbem\unsecapp.exe[2348] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[2348] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\unsecapp.exe[2348] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\unsecapp.exe[2348] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2352] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2392] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Phone\Skype.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Skype\Phone\Skype.exe[2400] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Phone\Skype.exe[2400] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Skype\Phone\Skype.exe[2400] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Skype\Phone\Skype.exe[2400] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe[2488] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2928] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[2936] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2940] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2984] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[3000] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\agrsmsvc.exe[3016] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\agrsmsvc.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\agrsmsvc.exe[3016] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[3016] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\agrsmsvc.exe[3016] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\agrsmsvc.exe[3016] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\agrsmsvc.exe[3016] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\agrsmsvc.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\agrsmsvc.exe[3016] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\agrsmsvc.exe[3016] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\agrsmsvc.exe[3016] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\agrsmsvc.exe[3016] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\agrsmsvc.exe[3016] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\agrsmsvc.exe[3016] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\agrsmsvc.exe[3016] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\agrsmsvc.exe[3016] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\agrsmsvc.exe[3016] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3044] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3044] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3044] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3044] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3044] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3044] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3044] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3044] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[3044] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3044] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3044] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3044] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3044] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3044] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3044] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3044] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3044] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3044] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7181000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 717E000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 717B000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[3068] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 7178000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] KERNEL32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] KERNEL32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] KERNEL32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[3168] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3208] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3252] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[3308] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[3340] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Acer\Mobility Center\MobilityService.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Acer\Mobility Center\MobilityService.exe[3400] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Acer\Mobility Center\MobilityService.exe[3400] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Acer\Mobility Center\MobilityService.exe[3400] KERNEL32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] KERNEL32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] KERNEL32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Acer\Mobility Center\MobilityService.exe[3400] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[3452] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe[3496] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3528] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3528] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3528] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3528] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3528] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3528] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3528] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3528] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[3528] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3528] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3528] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3528] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3528] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3528] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3528] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3528] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3528] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3528] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3560] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3604] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3604] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3604] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3604] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3604] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3604] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3604] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3604] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[3604] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3604] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3604] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3604] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3604] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3604] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3604] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3604] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3604] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3604] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe[3640] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[3652] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\WindowsMobile\wmdc.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\WindowsMobile\wmdc.exe[3696] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\WindowsMobile\wmdc.exe[3696] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\WindowsMobile\wmdc.exe[3696] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\WindowsMobile\wmdc.exe[3696] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Launch Manager\LManager.exe[3712] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Launch Manager\LManager.exe[3712] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\LManager.exe[3712] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Launch Manager\LManager.exe[3712] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\LManager.exe[3712] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Launch Manager\LManager.exe[3712] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Launch Manager\LManager.exe[3712] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Launch Manager\LManager.exe[3712] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Launch Manager\LManager.exe[3712] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Launch Manager\LManager.exe[3712] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Launch Manager\LManager.exe[3712] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Launch Manager\LManager.exe[3712] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Launch Manager\LManager.exe[3712] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Launch Manager\LManager.exe[3712] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Launch Manager\LManager.exe[3712] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Launch Manager\LManager.exe[3712] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Launch Manager\LManager.exe[3712] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Launch Manager\LManager.exe[3712] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[3756] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[3756] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3756] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[3756] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3756] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[3756] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[3756] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[3756] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[3756] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[3756] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[3756] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[3756] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[3756] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[3756] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[3756] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[3756] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[3756] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[3756] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Nuance\PaperPort\pptd40nt.exe[3792] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3800] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[3800] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3800] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[3800] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3800] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[3800] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[3800] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[3800] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchIndexer.exe[3800] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[3800] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[3800] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3800] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[3800] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[3800] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[3800] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[3800] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[3800] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[3800] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4136] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe[4152] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4332] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[4544] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[4544] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[4544] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4544] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[4544] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[4544] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[4544] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[4544] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[4544] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[4544] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[4544] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[4544] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[4544] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[4544] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[4544] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[4544] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[4544] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text D:\totalcmd\TOTALCMD.EXE[4848] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text D:\totalcmd\TOTALCMD.EXE[4848] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text D:\totalcmd\TOTALCMD.EXE[4848] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text D:\totalcmd\TOTALCMD.EXE[4848] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text D:\totalcmd\TOTALCMD.EXE[4848] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text D:\totalcmd\TOTALCMD.EXE[4848] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text D:\totalcmd\TOTALCMD.EXE[4848] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text D:\totalcmd\TOTALCMD.EXE[4848] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text D:\totalcmd\TOTALCMD.EXE[4848] user32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text D:\totalcmd\TOTALCMD.EXE[4848] user32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text D:\totalcmd\TOTALCMD.EXE[4848] user32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text D:\totalcmd\TOTALCMD.EXE[4848] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text D:\totalcmd\TOTALCMD.EXE[4848] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text D:\totalcmd\TOTALCMD.EXE[4848] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text D:\totalcmd\TOTALCMD.EXE[4848] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text D:\totalcmd\TOTALCMD.EXE[4848] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text D:\totalcmd\TOTALCMD.EXE[4848] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text D:\totalcmd\TOTALCMD.EXE[4848] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[4900] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[4900] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4900] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[4900] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4900] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[4900] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[4900] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[4900] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[4900] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[4900] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[4900] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[4900] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[4900] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[4900] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[4900] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[4900] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[4900] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[4900] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Windows\ehome\ehmsas.exe[5028] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Windows\ehome\ehmsas.exe[5028] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[5028] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\ehome\ehmsas.exe[5028] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[5028] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Windows\ehome\ehmsas.exe[5028] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Windows\ehome\ehmsas.exe[5028] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Windows\ehome\ehmsas.exe[5028] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Windows\ehome\ehmsas.exe[5028] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Windows\ehome\ehmsas.exe[5028] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Windows\ehome\ehmsas.exe[5028] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Windows\ehome\ehmsas.exe[5028] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Windows\ehome\ehmsas.exe[5028] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Windows\ehome\ehmsas.exe[5028] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Windows\ehome\ehmsas.exe[5028] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Windows\ehome\ehmsas.exe[5028] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Windows\ehome\ehmsas.exe[5028] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Windows\ehome\ehmsas.exe[5028] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Users\bolo\AppData\Local\Temp\_tc\gmer.exe[5320] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Browny02\BrYNSvc.exe[5344] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Browny02\BrYNSvc.exe[5344] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Users\bolo\AppData\Local\Temp\RtkBtMnt.exe[5616] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5856] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!LdrLoadDll 77849378 5 Bytes JMP 634FF140 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!LdrUnloadDll 7785B680 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!NtAlpcSendWaitReceivePort 77884104 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77884108 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!NtClose 778841A4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ntdll.dll!NtClose + 4 778841A8 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!CreateProcessW 775F1BF3 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!CreateProcessA 775F1C28 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!LoadLibraryExW + 173 776193DF 4 Bytes JMP 71AC000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!HeapSetInformation + 26 7761A8B0 7 Bytes JMP 63502942 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!LockResource + C 77636ACB 7 Bytes JMP 63B1FDD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] kernel32.dll!VirtualAllocEx + 54 7763AF50 7 Bytes JMP 63B1FDF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] USER32.dll!SetWindowsHookExA 76266322 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] USER32.dll!SetWindowsHookExW 762687AD 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] USER32.dll!SetWinEventHook 76269F3A 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] GDI32.dll!DeleteDC 75EE68CD 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] GDI32.dll!SetStretchBltMode + 256 75EE745C 7 Bytes JMP 63B1FD53 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] GDI32.dll!CreateDCW 75EEA91D 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] GDI32.dll!CreateDCA 75EEAA49 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] GDI32.dll!GetPixel 75EEBE90 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ADVAPI32.dll!CreateProcessAsUserA 7738CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ADVAPI32.dll!CreateProcessAsUserW 773A1EE9 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6028] ADVAPI32.dll!CreateProcessWithLogonW 773E80C1 6 Bytes JMP 7196000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [748FB4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [748BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [748AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [748E73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [748BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7493CB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [748DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [748AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [748A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [748B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00234ee9bec2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00234ee9bec2@6c0e0d743fe1 0x07 0xC9 0x49 0x26 ... Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00234ee9bec2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00234ee9bec2@6c0e0d743fe1 0x07 0xC9 0x49 0x26 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----