GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-26 15:27:24 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HM251JJ rev.2AA00_00 232,89GB Running: lg5sgzrb.exe; Driver: C:\Users\Demo\AppData\Local\Temp\kwldipoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x89F3D9FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x89F3DBF2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x89F3CCAE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x89F3D62C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x89F3D3BE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x89F3E7B2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x89F3C658] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x89F3DE3C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x89F3E1B8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x89F3CF92] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x89F3D824] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x89F3D246] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x89F3E4B8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x89F3CEFC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x89F3D132] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x89F3CA8E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x89F3C85C] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 830839A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830A3512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 139F 830AA994 4 Bytes [FE, D9, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 13C7 830AA9BC 4 Bytes [F2, DB, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 145B 830AAA50 4 Bytes [AE, CC, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 1477 830AAA6C 4 Bytes [2C, D6, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 14BF 830AAAB4 4 Bytes [BE, D3, F3, 89] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x896E4774] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[108] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[364] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\HPSIsvc.exe[412] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\HPSIsvc.exe[412] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\HPSIsvc.exe[412] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\HPSIsvc.exe[412] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\HPSIsvc.exe[412] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\HPSIsvc.exe[412] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\HPSIsvc.exe[412] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\HPSIsvc.exe[412] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\HPSIsvc.exe[412] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\HPSIsvc.exe[412] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\HPSIsvc.exe[412] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\HPSIsvc.exe[412] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\HPSIsvc.exe[412] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\HPSIsvc.exe[412] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\HPSIsvc.exe[412] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\system32\HPSIsvc.exe[412] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\system32\HPSIsvc.exe[412] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\csrss.exe[480] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 5 Bytes JMP 75012270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[480] ntdll.dll!NtReplyWaitReceivePort 76FE6458 5 Bytes JMP 75011970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[480] ntdll.dll!NtReplyWaitReceivePortEx 76FE6468 5 Bytes JMP 75011DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 5 Bytes JMP 75012270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePort 76FE6458 5 Bytes JMP 75011970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePortEx 76FE6468 5 Bytes JMP 75011DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[608] services.exe 00461608 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[608] services.exe 00461618 4 Bytes [20, 5E, 01, 10] .text C:\Windows\system32\services.exe[608] services.exe 00461638 4 Bytes [A0, 57, 01, 10] .text C:\Windows\system32\services.exe[608] services.exe 00461648 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[608] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\services.exe[608] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[608] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[608] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[608] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[608] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[608] RPCRT4.dll!RpcServerRegisterIfEx 763208A4 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[608] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[608] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[608] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[608] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[608] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[608] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[608] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[608] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[624] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[624] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[624] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[624] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[624] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[624] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[624] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[624] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[624] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[624] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[624] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[624] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[624] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[624] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[624] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[624] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[624] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[632] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[632] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[632] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[632] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[632] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[632] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[632] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[632] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[632] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[632] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[632] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[632] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[752] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[792] RPCRT4.dll!RpcServerRegisterIfEx 763208A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[792] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[852] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[852] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[852] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[852] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[852] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[852] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[852] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[852] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[852] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[852] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[852] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[852] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[852] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[852] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[852] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[852] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[852] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[876] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[920] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[920] RPCRT4.dll!RpcServerRegisterIfEx 763208A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[920] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[920] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[920] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[920] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[920] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[920] rpcss.dll!CoGetComCatalog 744935EC 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[976] ntdll.dll!NtAllocateVirtualMemory 76FE5318 5 Bytes JMP 01383760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[976] ntdll.dll!NtCreateFile 76FE5608 5 Bytes JMP 013CD090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Internet Download Manager\IEMonitor.exe[1032] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1056] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1056] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1056] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1056] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1056] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1056] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1056] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1056] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1132] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1132] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1132] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1132] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1132] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1132] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1132] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1132] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1132] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1132] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1184] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1184] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1184] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1184] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1228] RPCRT4.dll!RpcServerRegisterIfEx 763208A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1228] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1228] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1228] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1228] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1448] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[1448] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1448] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1448] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1448] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1448] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1448] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1448] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1448] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[1448] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1600] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1608] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1608] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1608] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1608] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1608] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1608] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1608] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1608] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1608] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1608] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1608] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1608] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1608] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1608] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1608] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1648] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1648] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1648] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1648] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1648] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1648] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1648] RPCRT4.dll!RpcServerRegisterIfEx 763208A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1648] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1648] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1648] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1648] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1648] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1648] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1648] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1648] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1648] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1880] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1880] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[1880] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1880] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1880] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1880] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1880] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1880] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1880] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1880] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1880] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1880] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1880] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[1880] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[1880] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[1880] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1880] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1904] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1904] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\Explorer.EXE[1904] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1904] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[1904] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1904] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[1904] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1904] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1904] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1904] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1904] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[1904] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[1904] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[1904] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[1904] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[1904] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[1904] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1928] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1928] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1928] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1928] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1928] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1928] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2040] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2040] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2040] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2040] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2040] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2040] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2040] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2040] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2040] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2040] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2040] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2040] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2040] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2040] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2040] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2040] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2040] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Google\Update\1.3.24.7\GoogleCrashHandler.exe[2148] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2276] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [18, 10, B5, 67] {SBB [EAX], DL; MOV CH, 0x67} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2352] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2400] ntdll.dll!NtAllocateVirtualMemory 76FE5318 5 Bytes JMP 00C911F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2400] ntdll.dll!NtCreateFile 76FE5608 5 Bytes JMP 00C91000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtCreateFile + 6 76FE560E 4 Bytes [28, 48, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtCreateFile + B 76FE5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [28, 4B, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenFile + 6 76FE5D1E 4 Bytes [68, 48, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenFile + B 76FE5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcess + 6 76FE5DCE 4 Bytes [A8, 49, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcess + B 76FE5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcessToken + 6 76FE5DDE 4 Bytes CALL 75FEA82C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcessToken + B 76FE5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcessTokenEx + 6 76FE5DEE 4 Bytes [A8, 4A, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenProcessTokenEx + B 76FE5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThread + 6 76FE5E4E 4 Bytes [68, 49, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThread + B 76FE5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThreadToken + 6 76FE5E5E 4 Bytes [68, 4A, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThreadToken + B 76FE5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThreadTokenEx + 6 76FE5E6E 4 Bytes CALL 75FEA8BD C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtOpenThreadTokenEx + B 76FE5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtQueryAttributesFile + 6 76FE5F7E 4 Bytes [A8, 48, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtQueryAttributesFile + B 76FE5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtQueryFullAttributesFile + 6 76FE602E 4 Bytes CALL 75FEAA7B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtQueryFullAttributesFile + B 76FE6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtSetInformationFile + 6 76FE667E 4 Bytes [28, 49, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtSetInformationFile + B 76FE6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtSetInformationThread + 6 76FE66DE 4 Bytes [28, 4A, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtSetInformationThread + B 76FE66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtUnmapViewOfSection + 6 76FE69FE 4 Bytes [68, 4B, 4A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!NtUnmapViewOfSection + B 76FE6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2528] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtCreateFile + 6 76FE560E 4 Bytes [28, 08, 19, 00] {SUB [EAX], CL; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtCreateFile + B 76FE5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [28, 0B, 19, 00] {SUB [EBX], CL; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenFile + 6 76FE5D1E 4 Bytes [68, 08, 19, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenFile + B 76FE5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcess + 6 76FE5DCE 4 Bytes [A8, 09, 19, 00] {TEST AL, 0x9; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcess + B 76FE5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessToken + 6 76FE5DDE 4 Bytes CALL 75FE76EC C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessToken + B 76FE5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessTokenEx + 6 76FE5DEE 4 Bytes [A8, 0A, 19, 00] {TEST AL, 0xa; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessTokenEx + B 76FE5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThread + 6 76FE5E4E 4 Bytes [68, 09, 19, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThread + B 76FE5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadToken + 6 76FE5E5E 4 Bytes [68, 0A, 19, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadToken + B 76FE5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadTokenEx + 6 76FE5E6E 4 Bytes CALL 75FE777D C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadTokenEx + B 76FE5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryAttributesFile + 6 76FE5F7E 4 Bytes [A8, 08, 19, 00] {TEST AL, 0x8; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryAttributesFile + B 76FE5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryFullAttributesFile + 6 76FE602E 4 Bytes CALL 75FE793B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryFullAttributesFile + B 76FE6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationFile + 6 76FE667E 4 Bytes [28, 09, 19, 00] {SUB [ECX], CL; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationFile + B 76FE6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationThread + 6 76FE66DE 4 Bytes [28, 0A, 19, 00] {SUB [EDX], CL; SBB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationThread + B 76FE66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtUnmapViewOfSection + 6 76FE69FE 4 Bytes [68, 0B, 19, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtUnmapViewOfSection + B 76FE6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2740] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + 6 76FE560E 4 Bytes [28, 88, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtCreateFile + B 76FE5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [28, 8B, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + 6 76FE5D1E 4 Bytes [68, 88, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenFile + B 76FE5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + 6 76FE5DCE 4 Bytes [A8, 89, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcess + B 76FE5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + 6 76FE5DDE 4 Bytes CALL 75FECA6C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessToken + B 76FE5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + 6 76FE5DEE 4 Bytes [A8, 8A, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenProcessTokenEx + B 76FE5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + 6 76FE5E4E 4 Bytes [68, 89, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThread + B 76FE5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + 6 76FE5E5E 4 Bytes [68, 8A, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadToken + B 76FE5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + 6 76FE5E6E 4 Bytes CALL 75FECAFD C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtOpenThreadTokenEx + B 76FE5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + 6 76FE5F7E 4 Bytes [A8, 88, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryAttributesFile + B 76FE5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + 6 76FE602E 4 Bytes CALL 75FECCBB C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtQueryFullAttributesFile + B 76FE6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + 6 76FE667E 4 Bytes [28, 89, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationFile + B 76FE6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + 6 76FE66DE 4 Bytes [28, 8A, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtSetInformationThread + B 76FE66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + 6 76FE69FE 4 Bytes [68, 8B, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!NtUnmapViewOfSection + B 76FE6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2748] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2796] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2796] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2796] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2796] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2796] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2796] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2796] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2796] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2796] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2796] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2796] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2796] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2796] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2796] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2796] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2796] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2896] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2896] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2896] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2896] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2896] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2896] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2896] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2896] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2896] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2896] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2896] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2896] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2896] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2896] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2896] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2896] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2896] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Smart Battery\SMBTray.exe[3280] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Wireless Select Switch\WLSS.exe[3352] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] advapi32.DLL!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3360] advapi32.DLL!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717B000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 7178000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 717E000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7181000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3400] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [5A, 71] .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 7185000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 7182000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7179000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7167000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 7170000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7176000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 7173000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7161000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 715E000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7164000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 717F000A .text C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE[3548] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 717C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7181000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 7178000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3576] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 717E000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Internet Download Manager\IDMan.exe[3668] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Users\Demo\AppData\Local\FluxSoftware\Flux\flux.exe[3716] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Phone\Skype.exe[3760] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Skype\Phone\Skype.exe[3760] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Phone\Skype.exe[3760] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Skype\Phone\Skype.exe[3760] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Skype\Phone\Skype.exe[3760] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7181000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717B000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 7178000A .text C:\Users\Demo\AppData\Roaming\uTorrent\uTorrent.exe[3784] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\System32\C2MP\TrayMenu.exe[3828] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\System32\C2MP\UpdateChecker.exe[3840] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe[3864] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtCreateFile + 6 76FE560E 4 Bytes [28, 98, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtCreateFile + B 76FE5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [28, 9B, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenFile + 6 76FE5D1E 4 Bytes [68, 98, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenFile + B 76FE5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcess + 6 76FE5DCE 4 Bytes [A8, 99, DA, 00] {TEST AL, 0x99; FIADD DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcess + B 76FE5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcessToken + 6 76FE5DDE 4 Bytes CALL 75FF387C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcessToken + B 76FE5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcessTokenEx + 6 76FE5DEE 4 Bytes [A8, 9A, DA, 00] {TEST AL, 0x9a; FIADD DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenProcessTokenEx + B 76FE5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThread + 6 76FE5E4E 4 Bytes [68, 99, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThread + B 76FE5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThreadToken + 6 76FE5E5E 4 Bytes [68, 9A, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThreadToken + B 76FE5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThreadTokenEx + 6 76FE5E6E 4 Bytes CALL 75FF390D C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtOpenThreadTokenEx + B 76FE5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtQueryAttributesFile + 6 76FE5F7E 4 Bytes [A8, 98, DA, 00] {TEST AL, 0x98; FIADD DWORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtQueryAttributesFile + B 76FE5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtQueryFullAttributesFile + 6 76FE602E 4 Bytes CALL 75FF3ACB C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtQueryFullAttributesFile + B 76FE6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtSetInformationFile + 6 76FE667E 4 Bytes [28, 99, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtSetInformationFile + B 76FE6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtSetInformationThread + 6 76FE66DE 4 Bytes [28, 9A, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtSetInformationThread + B 76FE66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtUnmapViewOfSection + 6 76FE69FE 4 Bytes [68, 9B, DA, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!NtUnmapViewOfSection + B 76FE6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3900] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtCreateFile + 6 76FE560E 4 Bytes [28, 50, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtCreateFile + B 76FE5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtMapViewOfSection + 6 76FE5C6E 4 Bytes [28, 53, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtMapViewOfSection + B 76FE5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenFile + 6 76FE5D1E 4 Bytes [68, 50, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenFile + B 76FE5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcess + 6 76FE5DCE 4 Bytes [A8, 51, B1, 00] {TEST AL, 0x51; MOV CL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcess + B 76FE5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcessToken + 6 76FE5DDE 4 Bytes CALL 75FF0F34 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcessToken + B 76FE5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcessTokenEx + 6 76FE5DEE 4 Bytes [A8, 52, B1, 00] {TEST AL, 0x52; MOV CL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenProcessTokenEx + B 76FE5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThread + 6 76FE5E4E 4 Bytes [68, 51, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThread + B 76FE5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThreadToken + 6 76FE5E5E 4 Bytes [68, 52, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThreadToken + B 76FE5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThreadTokenEx + 6 76FE5E6E 4 Bytes CALL 75FF0FC5 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtOpenThreadTokenEx + B 76FE5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtQueryAttributesFile + 6 76FE5F7E 4 Bytes [A8, 50, B1, 00] {TEST AL, 0x50; MOV CL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtQueryAttributesFile + B 76FE5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtQueryFullAttributesFile + 6 76FE602E 4 Bytes CALL 75FF1183 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtQueryFullAttributesFile + B 76FE6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtSetInformationFile + 6 76FE667E 4 Bytes [28, 51, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtSetInformationFile + B 76FE6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtSetInformationThread + 6 76FE66DE 4 Bytes [28, 52, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtSetInformationThread + B 76FE66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtUnmapViewOfSection + 6 76FE69FE 4 Bytes [68, 53, B1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!NtUnmapViewOfSection + B 76FE6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4128] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!NtTerminateProcess 76FE6908 5 Bytes JMP 0090F202 C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4148] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5028] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[5048] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5048] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[5048] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5048] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[5048] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[5048] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[5048] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[5048] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[5048] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[5048] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[5048] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[5048] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[5048] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[5048] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[5048] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[5048] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[5048] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5156] ntdll.dll!NtAllocateVirtualMemory 76FE5318 5 Bytes JMP 010A4FE0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ntdll.dll!NtAlpcSendWaitReceivePort 76FE5458 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76FE545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ntdll.dll!NtClose 76FE5508 3 Bytes [FF, 25, 1E] .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ntdll.dll!NtClose + 4 76FE550C 2 Bytes [AE, 71] .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ntdll.dll!LdrUnloadDll 76FFC8DE 6 Bytes JMP 71A8000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] kernel32.dll!CreateProcessW 7687204D 6 Bytes JMP 719F000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] kernel32.dll!CreateProcessA 76872082 6 Bytes JMP 719C000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] kernel32.dll!CreateProcessAsUserW 768A5ABF 6 Bytes JMP 7193000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] USER32.dll!SetWindowsHookExW 76AE210A 6 Bytes JMP 7181000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] USER32.dll!SetWinEventHook 76AE507E 6 Bytes JMP 717E000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] USER32.dll!SetWindowsHookExA 76B06DFA 6 Bytes JMP 7184000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] GDI32.dll!DeleteDC 76826EAA 6 Bytes JMP 7187000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] GDI32.dll!GetPixel 7682C3D5 6 Bytes JMP 718A000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] GDI32.dll!CreateDCA 7682CCA9 6 Bytes JMP 7190000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] GDI32.dll!CreateDCW 7682CF79 6 Bytes JMP 718D000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ADVAPI32.dll!CreateProcessAsUserA 76F42642 6 Bytes JMP 7199000A .text C:\Users\Demo\Downloads\Programs\lg5sgzrb.exe[6044] ADVAPI32.dll!CreateProcessWithLogonW 76F45429 6 Bytes JMP 7196000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73DC24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73DA562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73DA56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73DC2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73DB85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73DB4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73DB5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73DB51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73DB6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73DB8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73DB8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73DB90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73DBE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1904] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DB4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 850631F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{479D6DD2-6475-4F77-AD3C-99FFFD5ADB1F} 861291F8 Device \Driver\usbuhci \Device\USBPDO-0 8633F1F8 Device \Driver\usbuhci \Device\USBPDO-1 8633F1F8 Device \Driver\usbehci \Device\USBPDO-2 863AC440 Device \Driver\usbuhci \Device\USBPDO-3 8633F1F8 Device \Driver\usbuhci \Device\USBPDO-4 8633F1F8 AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys Device \Driver\usbuhci \Device\USBPDO-5 8633F1F8 Device \Driver\usbehci \Device\USBPDO-6 863AC440 Device \Driver\NetBT \Device\NetBT_Tcpip_{7B287F5B-F5F6-4374-A489-B97A4D0B4FDD} 861291F8 Device \Driver\cdrom \Device\CdRom0 860251F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850611F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 850611F8 Device \Driver\atapi \Device\Ide\IdePort0 850611F8 Device \Driver\atapi \Device\Ide\IdePort1 850611F8 Device \Driver\atapi \Device\Ide\IdePort2 850611F8 Device \Driver\atapi \Device\Ide\IdePort3 850611F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{59F66987-09AD-4448-B933-F278E654D77A} 861291F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 861291F8 AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys Device \Driver\usbuhci \Device\USBFDO-0 8633F1F8 Device \Driver\usbuhci \Device\USBFDO-1 8633F1F8 Device \Driver\usbehci \Device\USBFDO-2 863AC440 Device \Driver\usbuhci \Device\USBFDO-3 8633F1F8 Device \Driver\usbuhci \Device\USBFDO-4 8633F1F8 Device \Driver\usbuhci \Device\USBFDO-5 8633F1F8 Device \Driver\usbehci \Device\USBFDO-6 863AC440 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x850611f8]<< 850611f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e787c8] 85e787c8 Trace 3 CLASSPNP.SYS[89eb359e] -> nt!IofCallDriver -> [0x85dae918] 85dae918 Trace 5 ACPI.sys[897093d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85d94908] 85d94908 Trace \Driver\atapi[0x85d84eb8] -> IRP_MJ_CREATE -> 0x850611f8 850611f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----