GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-28 21:55:26 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465,76GB Running: enicjnm2.exe; Driver: C:\Users\Admin\AppData\Local\Temp\fgddrpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x93025A9C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x930DE9FE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x930DEBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9302657A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0x930DDCAE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x930325C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x93032610] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0x930DE62C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x930327AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x93032532] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x9317559A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9303257A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x930DF7B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0x930DD658] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x930DEE3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x93032764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x93027368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x93025B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9302AB3C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0x930DF1B8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x930DDF92] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9317567A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x93025B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9302AF32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x93027E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x930325EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x93032632] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0x930DE824] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x930327CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x93032558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9302A436] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0x930DE246] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x930325A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9302A81E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x93032788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9317541E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x93027CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x930279D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x93025BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x93025C34] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x93175776] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x930DF4B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9302595A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x930DDEFC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x93027532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x93027694] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x930DE132] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x931754EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0x930DD85C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x93025C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x930265D6] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 8384B9A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8386B512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 1393 83872988 4 Bytes [9C, 5A, 02, 93] .text ntoskrnl.exe!KeRemoveQueueEx + 139F 83872994 4 Bytes [FE, E9, 0D, 93] .text ntoskrnl.exe!KeRemoveQueueEx + 13C7 838729BC 4 Bytes [F2, EB, 0D, 93] {JMP 0x10; XCHG EBX, EAX} .text ntoskrnl.exe!KeRemoveQueueEx + 141B 83872A10 4 Bytes [7A, 65, 02, 93] .text ntoskrnl.exe!KeRemoveQueueEx + 145B 83872A50 4 Bytes [AE, DC, 0D, 93] .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 108 83A261B1 4 Bytes CALL 93028513 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 122 83A62EED 4 Bytes CALL 93028529 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x95407000, 0x2DEB7A, 0xE8000020] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9922E400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x992D0420] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x992D0420] .protect˙˙˙˙hardlockunknown last code section [0x992D0200, 0x5049, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x992D0200, 0x5049, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\AUDIODG.EXE[460] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[460] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[460] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[460] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[460] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[460] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[460] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[460] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[460] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[460] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[460] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[460] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[460] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[460] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[460] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[460] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[460] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[460] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\csrss.exe[532] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 5 Bytes JMP 75292270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[532] ntdll.dll!NtReplyWaitReceivePort 77266458 5 Bytes JMP 75291970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[532] ntdll.dll!NtReplyWaitReceivePortEx 77266468 5 Bytes JMP 75291DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[532] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[608] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[628] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 5 Bytes JMP 75292270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[628] ntdll.dll!NtReplyWaitReceivePort 77266458 5 Bytes JMP 75291970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[628] ntdll.dll!NtReplyWaitReceivePortEx 77266468 5 Bytes JMP 75291DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[628] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\services.exe[676] services.exe 00A11608 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[676] services.exe 00A11618 4 Bytes [20, 5E, 01, 10] .text C:\Windows\system32\services.exe[676] services.exe 00A11638 4 Bytes [A0, 57, 01, 10] .text C:\Windows\system32\services.exe[676] services.exe 00A11648 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[676] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\services.exe[676] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[676] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[676] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\services.exe[676] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\services.exe[676] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\services.exe[676] RPCRT4.dll!RpcServerRegisterIfEx 76C108A4 6 Bytes JMP 718F001E .text C:\Windows\system32\services.exe[676] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717A001E .text C:\Windows\system32\services.exe[676] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 7177001E .text C:\Windows\system32\services.exe[676] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 717D001E .text C:\Windows\system32\services.exe[676] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7183001E .text C:\Windows\system32\services.exe[676] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7186001E .text C:\Windows\system32\services.exe[676] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718C001E .text C:\Windows\system32\services.exe[676] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 7189001E .text C:\Windows\system32\services.exe[676] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\services.exe[676] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[692] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[692] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\lsass.exe[692] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\lsass.exe[692] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\lsass.exe[692] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\lsass.exe[692] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\lsass.exe[692] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\lsass.exe[692] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\lsass.exe[692] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\lsass.exe[692] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\lsass.exe[692] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\lsass.exe[692] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[700] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[700] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\lsm.exe[700] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\lsm.exe[700] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\lsm.exe[700] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\lsm.exe[700] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\lsm.exe[700] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\lsm.exe[700] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\lsm.exe[700] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\lsm.exe[700] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\lsm.exe[700] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\lsm.exe[700] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\lsm.exe[700] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\lsm.exe[700] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\lsm.exe[700] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7180001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717A001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 7177001E .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[768] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[796] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[796] RPCRT4.dll!RpcServerRegisterIfEx 76C108A4 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717A001E .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[796] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[796] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[796] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[796] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\winlogon.exe[856] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[940] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[940] RPCRT4.dll!RpcServerRegisterIfEx 76C108A4 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[940] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[940] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717A001E .text C:\Windows\system32\svchost.exe[940] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[940] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[940] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[940] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[940] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[940] rpcss.dll!CoGetComCatalog 747735EC 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] ntdll.dll!NtAllocateVirtualMemory 77265318 5 Bytes JMP 00FD3760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] ntdll.dll!NtCreateFile 77265608 5 Bytes JMP 0101D090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[984] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[1068] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[1068] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[1068] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[1068] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7180001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717A001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 7177001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 717D001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717A001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 7177001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 717D001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7180001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[1100] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1128] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[1128] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[1128] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[1128] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\SearchIndexer.exe[1136] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1136] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[1136] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1136] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[1136] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\SearchIndexer.exe[1136] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\SearchIndexer.exe[1136] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\SearchIndexer.exe[1136] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\SearchIndexer.exe[1136] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[1136] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\SearchIndexer.exe[1136] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\SearchIndexer.exe[1136] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\SearchIndexer.exe[1136] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\SearchIndexer.exe[1136] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\SearchIndexer.exe[1136] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\SearchIndexer.exe[1136] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\SearchIndexer.exe[1136] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\SearchIndexer.exe[1136] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\atiesrxx.exe[1192] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atiesrxx.exe[1192] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\atiesrxx.exe[1192] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atiesrxx.exe[1192] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\atiesrxx.exe[1192] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\atiesrxx.exe[1192] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\atiesrxx.exe[1192] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\atiesrxx.exe[1192] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\atiesrxx.exe[1192] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[1192] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\atiesrxx.exe[1192] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\atiesrxx.exe[1192] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\atiesrxx.exe[1192] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\atiesrxx.exe[1192] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\atiesrxx.exe[1192] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\atiesrxx.exe[1192] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\atiesrxx.exe[1192] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\atiesrxx.exe[1192] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1224] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[1224] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[1224] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[1224] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[1224] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[1224] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[1224] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[1264] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[1264] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[1264] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[1264] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[1264] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[1264] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[1264] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[1264] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[1264] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[1264] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[1264] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[1316] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[1316] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1344] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1348] RPCRT4.dll!RpcServerRegisterIfEx 76C108A4 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717A001E .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1448] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[1496] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1496] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1496] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1496] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1496] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[1496] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[1496] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[1496] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[1496] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[1496] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[1496] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[1496] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[1496] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[1496] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[1496] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[1496] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[1496] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[1496] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\GE Fanuc\Proficy Common\M4 Common Licensing\CCFLIC0.exe[1524] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\atieclxx.exe[1560] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atieclxx.exe[1560] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\atieclxx.exe[1560] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atieclxx.exe[1560] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\atieclxx.exe[1560] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\atieclxx.exe[1560] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\atieclxx.exe[1560] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\atieclxx.exe[1560] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\atieclxx.exe[1560] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1560] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\atieclxx.exe[1560] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\atieclxx.exe[1560] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\atieclxx.exe[1560] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\atieclxx.exe[1560] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\atieclxx.exe[1560] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\atieclxx.exe[1560] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\atieclxx.exe[1560] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\atieclxx.exe[1560] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!SetUnhandledExceptionFilter 773BF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\Intellution\iLicenseSvc.exe[1688] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1736] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1736] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1736] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[1736] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[1736] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1736] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[1736] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1736] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[1736] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[1736] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[1736] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\spoolsv.exe[1908] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1908] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1908] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1908] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1908] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\spoolsv.exe[1908] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\spoolsv.exe[1908] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\spoolsv.exe[1908] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\spoolsv.exe[1908] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1908] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\spoolsv.exe[1908] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\spoolsv.exe[1908] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\spoolsv.exe[1908] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\spoolsv.exe[1908] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\spoolsv.exe[1908] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\spoolsv.exe[1908] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\spoolsv.exe[1908] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\spoolsv.exe[1908] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1952] RPCRT4.dll!RpcServerRegisterIfEx 76C108A4 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[1952] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[1952] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717A001E .text C:\Windows\system32\svchost.exe[1952] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1952] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1952] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[1952] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[1952] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[1952] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[2100] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2100] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[2100] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2100] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2100] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[2100] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[2100] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[2100] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[2100] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[2100] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[2100] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[2100] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[2100] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[2100] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[2100] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[2100] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[2100] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[2100] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[2220] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[2220] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[2220] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[2220] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[2220] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[2220] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[2220] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2296] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[2296] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[2296] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[2296] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[2296] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[2296] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[2296] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[2296] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2368] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2428] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2524] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2628] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2928] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[2936] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2936] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2936] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2936] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[2936] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[2936] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[2936] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[2936] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[2936] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[2936] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[2936] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[2936] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[2936] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[2936] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[2936] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[2936] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[2936] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] advapi32.DLL!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3044] advapi32.DLL!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3068] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\taskeng.exe[3128] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[3128] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3128] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[3128] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\taskeng.exe[3128] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\taskeng.exe[3128] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\taskeng.exe[3128] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\taskeng.exe[3128] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\taskeng.exe[3128] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\taskeng.exe[3128] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\taskeng.exe[3128] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\taskeng.exe[3128] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\taskeng.exe[3128] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\taskeng.exe[3128] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\taskeng.exe[3128] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\taskeng.exe[3128] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\taskeng.exe[3128] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[3264] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3264] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3264] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3264] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3264] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[3264] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[3264] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[3264] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[3264] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[3264] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[3264] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[3264] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[3264] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[3264] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[3264] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[3264] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[3264] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[3264] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\taskhost.exe[3356] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3356] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[3356] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3356] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[3356] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\taskhost.exe[3356] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\taskhost.exe[3356] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\taskhost.exe[3356] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\taskhost.exe[3356] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\taskhost.exe[3356] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\taskhost.exe[3356] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\taskhost.exe[3356] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\taskhost.exe[3356] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\taskhost.exe[3356] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\taskhost.exe[3356] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\taskhost.exe[3356] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\taskhost.exe[3356] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\taskhost.exe[3356] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\Dwm.exe[3376] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3376] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[3376] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3376] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[3376] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\Dwm.exe[3376] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\Dwm.exe[3376] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\Dwm.exe[3376] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\Dwm.exe[3376] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3376] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\Dwm.exe[3376] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\Dwm.exe[3376] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\Dwm.exe[3376] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\Dwm.exe[3376] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\Dwm.exe[3376] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\Dwm.exe[3376] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\Dwm.exe[3376] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\Dwm.exe[3376] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3420] ntdll.dll!NtAllocateVirtualMemory 77265318 5 Bytes JMP 00DD11F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3420] ntdll.dll!NtCreateFile 77265608 5 Bytes JMP 00DD1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3420] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\Explorer.EXE[3496] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3496] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\Explorer.EXE[3496] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3496] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[3496] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\Explorer.EXE[3496] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\Explorer.EXE[3496] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\Explorer.EXE[3496] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\Explorer.EXE[3496] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\Explorer.EXE[3496] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\Explorer.EXE[3496] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\Explorer.EXE[3496] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\Explorer.EXE[3496] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\Explorer.EXE[3496] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\Explorer.EXE[3496] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\Explorer.EXE[3496] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 717D001E .text C:\Windows\Explorer.EXE[3496] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717A001E .text C:\Windows\Explorer.EXE[3496] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[3688] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[3728] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] KERNEL32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] KERNEL32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] KERNEL32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] KERNEL32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[4024] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4100] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4296] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\WindowsMobile\wmdc.exe[4368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\WindowsMobile\wmdc.exe[4368] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\WindowsMobile\wmdc.exe[4368] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\WindowsMobile\wmdc.exe[4368] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\WindowsMobile\wmdc.exe[4368] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\WindowsMobile\wmdc.exe[4368] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[4396] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] KERNEL32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] KERNEL32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] KERNEL32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] KERNEL32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\svchost.exe[4796] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[4796] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4796] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[4796] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[4796] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[4796] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[4796] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[4796] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[4796] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[4796] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[4796] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[4796] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[4796] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[4796] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[4796] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[4796] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[4796] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[4976] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\svchost.exe[4976] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[4976] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[4976] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\svchost.exe[4976] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[4976] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\svchost.exe[4976] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\svchost.exe[4976] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\svchost.exe[4976] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\svchost.exe[4976] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\WUDFHost.exe[5084] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[5084] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\WUDFHost.exe[5084] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[5084] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\WUDFHost.exe[5084] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\WUDFHost.exe[5084] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\WUDFHost.exe[5084] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\WUDFHost.exe[5084] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\WUDFHost.exe[5084] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[5084] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\WUDFHost.exe[5084] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Windows\System32\WUDFHost.exe[5084] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\WUDFHost.exe[5084] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\WUDFHost.exe[5084] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\WUDFHost.exe[5084] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\WUDFHost.exe[5084] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\WUDFHost.exe[5084] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\WUDFHost.exe[5084] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] kernel32.dll!SetUnhandledExceptionFilter 773BF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7180001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7177001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 7174001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 717A001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] advapi32.DLL!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5292] advapi32.DLL!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\Windows Sidebar\sidebar.exe[5344] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\DllHost.exe[5392] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\DllHost.exe[5392] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\DllHost.exe[5392] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\DllHost.exe[5392] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\system32\DllHost.exe[5392] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\DllHost.exe[5392] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\system32\DllHost.exe[5392] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\system32\DllHost.exe[5392] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\DllHost.exe[5392] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\system32\DllHost.exe[5392] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\DllHost.exe[5392] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\DllHost.exe[5392] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\DllHost.exe[5392] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\DllHost.exe[5392] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\DllHost.exe[5392] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\DllHost.exe[5392] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\DllHost.exe[5392] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\system32\DllHost.exe[5392] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] KERNEL32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] KERNEL32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] KERNEL32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] KERNEL32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5584] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[5620] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\PC Connectivity Solution\ServiceLayer.exe[5832] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe[5952] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5980] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A8000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719F000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719C000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7193000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7181000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717E000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7184000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7187000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 718A000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 7190000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718D000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7199000A .text C:\Users\Admin\Desktop\enicjnm2.exe[6068] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[6132] ntdll.dll!NtAlpcSendWaitReceivePort 77265458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[6132] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7726545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[6132] ntdll.dll!NtClose 77265508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[6132] ntdll.dll!NtClose + 4 7726550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[6132] ntdll.dll!LdrUnloadDll 7727C8DE 6 Bytes JMP 71A7001E .text C:\Windows\System32\svchost.exe[6132] kernel32.dll!CreateProcessW 7737204D 6 Bytes JMP 719E001E .text C:\Windows\System32\svchost.exe[6132] kernel32.dll!CreateProcessA 77372082 6 Bytes JMP 719B001E .text C:\Windows\System32\svchost.exe[6132] kernel32.dll!CreateProcessAsUserW 773A5ABF 6 Bytes JMP 7192001E .text C:\Windows\System32\svchost.exe[6132] kernel32.dll!GetBinaryTypeW + 70 773D6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[6132] USER32.dll!SetWindowsHookExW 767EE30C 6 Bytes JMP 7180001E .text C:\Windows\System32\svchost.exe[6132] USER32.dll!SetWinEventHook 767F24DC 6 Bytes JMP 717D001E .text C:\Windows\System32\svchost.exe[6132] USER32.dll!SetWindowsHookExA 76816D0C 6 Bytes JMP 7183001E .text C:\Windows\System32\svchost.exe[6132] GDI32.dll!DeleteDC 771D6EAA 6 Bytes JMP 7186001E .text C:\Windows\System32\svchost.exe[6132] GDI32.dll!GetPixel 771DC3D5 6 Bytes JMP 7189001E .text C:\Windows\System32\svchost.exe[6132] GDI32.dll!CreateDCA 771DCCA9 6 Bytes JMP 718F001E .text C:\Windows\System32\svchost.exe[6132] GDI32.dll!CreateDCW 771DCF79 6 Bytes JMP 718C001E .text C:\Windows\System32\svchost.exe[6132] ADVAPI32.dll!CreateProcessAsUserA 76F72642 6 Bytes JMP 7198001E .text C:\Windows\System32\svchost.exe[6132] ADVAPI32.dll!CreateProcessWithLogonW 76F75429 6 Bytes JMP 7195001E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@002668337cce 0xD9 0xC4 0x36 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@001237636253 0x3A 0x93 0xCE 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@60d0a9532b51 0x48 0xC9 0xC2 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@10f9ee32238e 0xB3 0x53 0xC4 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@d0dfc7572b86 0xE9 0x80 0xE0 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076dcebb6@905f2e9f4dfb 0xD0 0xED 0xCF 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 51145 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 24746 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x53 0xEC 0xF9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@002668337cce 0xD9 0xC4 0x36 0x5C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@001237636253 0x3A 0x93 0xCE 0x6C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@60d0a9532b51 0x48 0xC9 0xC2 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@10f9ee32238e 0xB3 0x53 0xC4 0x6C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@d0dfc7572b86 0xE9 0x80 0xE0 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076dcebb6@905f2e9f4dfb 0xD0 0xED 0xCF 0x96 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x53 0xEC 0xF9 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\System Volume Information\LightningSand.CFD 57736 bytes File C:\System Volume Information\MountPointManagerRemoteDatabase 0 bytes File C:\System Volume Information\SPP 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{41f3bb7a-c89a-4c76-a7ef-1ffb759f7b3a}_OnDiskSnapshotProp 19840 bytes File C:\System Volume Information\SPP\SppCbsHiveStore 0 bytes File C:\System Volume Information\SPP\SppGroupCache 0 bytes File C:\System Volume Information\Syscache.hve 31981568 bytes File C:\System Volume Information\Syscache.hve.LOG1 262144 bytes File C:\System Volume Information\Syscache.hve.LOG2 0 bytes File C:\System Volume Information\Windows Backup 0 bytes File C:\System Volume Information\Windows Backup\Catalogs 0 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalog.wbcat 6391604 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalogCopy.wbcat 6391212 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalogLock.dat 0 bytes File C:\System Volume Information\Windows Backup\Staging 0 bytes File C:\System Volume Information\Windows Backup\TEMPHIVE 0 bytes File C:\System Volume Information\WindowsImageBackup 0 bytes File C:\System Volume Information\WindowsImageBackup\SPPMetadataCache 0 bytes File C:\System Volume Information\tracking.log 71680 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl 0 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl 72 bytes ---- EOF - GMER 2.1 ----