GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-22 22:38:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0303 298,09GB Running: abc.exe; Driver: C:\Users\Spid3r\AppData\Local\Temp\awroapog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800027b6000 45 bytes [00, 00, 22, 02, 4E, 76, 4C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800027b602f 23 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000104200 7 bytes [40, A3, F3, FF, 01, B5, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000104208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077841360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077841560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077841360 8 bytes JMP 000000016fff00d8 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077841560 8 bytes JMP 000000016fff0110 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 8 bytes JMP 000000016fff0148 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\services.exe[720] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\services.exe[720] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefda03e80 6 bytes {JMP QWORD [RIP+0x16c1b0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000776f6ef0 6 bytes {JMP QWORD [RIP+0x8ce9140]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000776f8184 6 bytes {JMP QWORD [RIP+0x8dc7eac]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetParent 00000000776f8530 6 bytes {JMP QWORD [RIP+0x8d07b00]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000776f9bcc 6 bytes {JMP QWORD [RIP+0x8a66464]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!PostMessageA 00000000776fa404 6 bytes {JMP QWORD [RIP+0x8aa5c2c]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!EnableWindow 00000000776faaa0 6 bytes {JMP QWORD [RIP+0x8e05590]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!MoveWindow 00000000776faad0 6 bytes {JMP QWORD [RIP+0x8d25560]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000776fc720 6 bytes {JMP QWORD [RIP+0x8cc3910]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000776fcd50 6 bytes {JMP QWORD [RIP+0x8da32e0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000776fd2b0 6 bytes {JMP QWORD [RIP+0x8ae2d80]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageA 00000000776fd338 6 bytes {JMP QWORD [RIP+0x8b22cf8]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000776fdc40 6 bytes {JMP QWORD [RIP+0x8c023f0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000776ff510 6 bytes {JMP QWORD [RIP+0x8de0b20]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000776ff874 6 bytes {JMP QWORD [RIP+0x8a207bc]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000776ffac0 6 bytes {JMP QWORD [RIP+0x8b80570]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077700b74 6 bytes {JMP QWORD [RIP+0x8aff4bc]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777033b0 6 bytes {JMP QWORD [RIP+0x8a7cc80]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077704d4d 5 bytes {JMP QWORD [RIP+0x8a3b2e4]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!GetKeyState 0000000077705010 6 bytes {JMP QWORD [RIP+0x8c9b020]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077705438 6 bytes {JMP QWORD [RIP+0x8bbabf8]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageW 0000000077706b50 6 bytes {JMP QWORD [RIP+0x8b394e0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!PostMessageW 00000000777076e4 6 bytes {JMP QWORD [RIP+0x8ab894c]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007770dd90 6 bytes {JMP QWORD [RIP+0x8c322a0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!GetClipboardData 000000007770e874 6 bytes {JMP QWORD [RIP+0x8d717bc]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007770f780 6 bytes {JMP QWORD [RIP+0x8d308b0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777128e4 6 bytes {JMP QWORD [RIP+0x8bcd74c]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!mouse_event 0000000077713894 6 bytes {JMP QWORD [RIP+0x89cc79c]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077718a10 6 bytes {JMP QWORD [RIP+0x8c67620]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077718be0 6 bytes {JMP QWORD [RIP+0x8b47450]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077718c20 6 bytes {JMP QWORD [RIP+0x89e7410]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendInput 0000000077718cd0 6 bytes {JMP QWORD [RIP+0x8c47360]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!BlockInput 000000007771ad60 6 bytes {JMP QWORD [RIP+0x8d452d0]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777414e0 6 bytes {JMP QWORD [RIP+0x8ddeb50]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!keybd_event 00000000777645a4 6 bytes {JMP QWORD [RIP+0x895ba8c]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007776cc08 6 bytes {JMP QWORD [RIP+0x8bb3428]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007776df18 6 bytes {JMP QWORD [RIP+0x8b32118]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\services.exe[720] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes JMP 0 .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\lsass.exe[736] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x5af90]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\lsm.exe[744] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010a50a0 6 bytes {JMP QWORD [RIP+0xfaf90]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL d0000000 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefda03e80 6 bytes JMP 4f10 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 740073 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[900] c:\windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70dc000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70dc000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70e2000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70e2000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70d9000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70d9000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [FC, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [ED, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [D5, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d0000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d0000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 715a000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 7109000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes [0E, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes [1D, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes {JMP QWORD [RIP+0x7105001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes [1A, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes {JMP QWORD [RIP+0x710b001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes [17, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes {JMP QWORD [RIP+0x7132001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes [29, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes [2C, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes {JMP QWORD [RIP+0x7111001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes {JMP QWORD [RIP+0x7102001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes [14, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes [20, 71] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe[108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefda03e80 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP a2a .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[592] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP a2a .text C:\Windows\System32\svchost.exe[1108] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes JMP 71ebc700 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes JMP c580 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes JMP 330032 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes JMP 1 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes JMP 4c29389 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes JMP 987a870 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes JMP b8b7bb40 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes JMP c6f1c6f1 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes JMP 8f1e628 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes JMP 9140fb9 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes JMP 0 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes JMP 17d580 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes JMP 8fb6260 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes JMP 921eb40 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes JMP 72fdc68 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes JMP 8fc5441 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes JMP 9880 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes JMP 92112c9 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes JMP 82d4a01 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes JMP 94fcc21 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes JMP 94fcc21 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes JMP 43d9 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\System32\svchost.exe[1144] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes JMP 1f501f40 .text C:\Windows\System32\svchost.exe[1144] C:\Windows\System32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 30003000 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefda03e80 6 bytes JMP 300034 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 2ba7 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 406 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes JMP 730079 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 1185 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP fd7273d4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes JMP 0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 1185 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1468] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes JMP 0 .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\WUDFHost.exe[1524] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 74736c74 .text C:\Windows\System32\spoolsv.exe[1892] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefda03e80 6 bytes {JMP QWORD [RIP+0x16c1b0]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes JMP 1f501f40 .text C:\Windows\system32\svchost.exe[2016] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[1680] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP a2a .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes JMP 4 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2084] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2180] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70c1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70ac000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70ac000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70b2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70a9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70a9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70b5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 70cd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70ca000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 709d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 709d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 70d0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 70d0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70be000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70be000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70a6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70a6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70a0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70a0000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70bb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70bb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70a3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70a3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70b8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70c7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70c4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 712a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 711e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 70d9000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 7118000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7112000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7130000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 70df000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 7124000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 70f7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 70d6000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 7127000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7121000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 712d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 711b000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 70dc000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7133000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 7106000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 710c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 7115000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 7136000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7103000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7100000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 70f4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 70e2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 70d3000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 7139000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 713c000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 710f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 7109000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 713f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 7145000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7142000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2400] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70ec000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70ec000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70dd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70dd000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70d4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70d4000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 70f8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 70f8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70f5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70f5000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70c8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70c8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 70fb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70e9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70e9000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70d1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70d1000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70cb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70cb000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70e6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70e6000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70ce000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70ce000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70e3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70e3000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70f2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70f2000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70ef000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70ef000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 7160000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 7104000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 714e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 710a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 7101000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 7163000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7107000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7169000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 713c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 7113000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7139000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 710d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 70fe000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 7110000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 717b000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 66667542 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 164648 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xc5940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xbf420]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2588] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xc5940]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes JMP 1ca .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xc5940]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2728] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xbf420]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\conhost.exe[2736] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\system32\svchost.exe[2980] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 0 .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Windows\system32\taskhost.exe[1492] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes [05, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 6ff1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 6ff1000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 6ff7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 6ff7000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 6fee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 6fee000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 6ffa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 6ffa000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [11, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 700f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 700f000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 6ff4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 6ff4000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 6fe2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 6fe2000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7015000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7015000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [02, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [EA, 6F] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 6fe5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 6fe5000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [FF, 6F] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [E7, 6F] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [FC, 6F] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes [0B, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [08, 70] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes JMP 43d9 .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\Explorer.EXE[2052] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes {JMP 0x72} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70d7000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes [DC, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes [D3, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70e0000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [F7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes [F4, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70da000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes [C7, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes [FA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [E8, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [D0, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes [CA, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [E5, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [CD, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [E2, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes [F1, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [EE, 70] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes {JMP QWORD [RIP+0x7103001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes {JMP QWORD [RIP+0x7147001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes [09, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes {JMP QWORD [RIP+0x712c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes [23, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes {JMP QWORD [RIP+0x7100001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes [20, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes {JMP QWORD [RIP+0x7106001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes {JMP QWORD [RIP+0x713b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes {JMP QWORD [RIP+0x714a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes [12, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes {JMP QWORD [RIP+0x7138001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes {JMP QWORD [RIP+0x7135001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes [2F, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes [32, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes {JMP QWORD [RIP+0x710c001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes {JMP QWORD [RIP+0x70fd001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes {JMP QWORD [RIP+0x713e001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes [0F, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes [26, 71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes JMP fe1a1f30 .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\explorer.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\explorer.exe[3568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes JMP 43d9 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000776f6ef0 6 bytes {JMP QWORD [RIP+0x8ce9140]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000776f8184 6 bytes {JMP QWORD [RIP+0x8dc7eac]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetParent 00000000776f8530 6 bytes {JMP QWORD [RIP+0x8d07b00]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetWindowLongA 00000000776f9bcc 6 bytes {JMP QWORD [RIP+0x8a66464]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!PostMessageA 00000000776fa404 6 bytes {JMP QWORD [RIP+0x8aa5c2c]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!EnableWindow 00000000776faaa0 6 bytes {JMP QWORD [RIP+0x8e05590]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!MoveWindow 00000000776faad0 6 bytes {JMP QWORD [RIP+0x8d25560]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000776fc720 6 bytes {JMP QWORD [RIP+0x8cc3910]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000776fcd50 6 bytes {JMP QWORD [RIP+0x8da32e0]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000776fd2b0 6 bytes {JMP QWORD [RIP+0x8ae2d80]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageA 00000000776fd338 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000776fdc40 6 bytes {JMP QWORD [RIP+0x8c023f0]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000776ff510 6 bytes {JMP QWORD [RIP+0x8de0b20]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000776ff874 6 bytes {JMP QWORD [RIP+0x8a207bc]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000776ffac0 6 bytes {JMP QWORD [RIP+0x8b80570]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077700b74 6 bytes {JMP QWORD [RIP+0x8aff4bc]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777033b0 6 bytes {JMP QWORD [RIP+0x8a7cc80]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077704d4d 5 bytes {JMP QWORD [RIP+0x8a3b2e4]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!GetKeyState 0000000077705010 6 bytes {JMP QWORD [RIP+0x8c9b020]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077705438 6 bytes {JMP QWORD [RIP+0x8bbabf8]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageW 0000000077706b50 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!PostMessageW 00000000777076e4 6 bytes {JMP QWORD [RIP+0x8ab894c]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007770dd90 6 bytes {JMP QWORD [RIP+0x8c322a0]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!GetClipboardData 000000007770e874 6 bytes {JMP QWORD [RIP+0x8d717bc]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007770f780 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777128e4 6 bytes {JMP QWORD [RIP+0x8bcd74c]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!mouse_event 0000000077713894 6 bytes {JMP QWORD [RIP+0x89cc79c]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077718a10 6 bytes {JMP QWORD [RIP+0x8c67620]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077718be0 6 bytes {JMP QWORD [RIP+0x8b47450]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077718c20 6 bytes {JMP QWORD [RIP+0x89e7410]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendInput 0000000077718cd0 6 bytes {JMP QWORD [RIP+0x8c47360]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!BlockInput 000000007771ad60 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777414e0 6 bytes {JMP QWORD [RIP+0x8ddeb50]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!keybd_event 00000000777645a4 6 bytes {JMP QWORD [RIP+0x895ba8c]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007776cc08 6 bytes {JMP QWORD [RIP+0x8bb3428]} .text C:\Windows\explorer.exe[3568] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007776df18 6 bytes JMP 0 .text C:\Windows\explorer.exe[3568] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70eb000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70eb000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70d6000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70d6000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70dc000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70dc000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70d3000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70d3000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 70f7000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 70f7000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70f4000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70f4000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70d9000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70d9000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70c7000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70c7000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70e8000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70e8000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70d0000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70d0000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70ca000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70ca000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70e2000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70e2000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70ee000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70ee000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 717e000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 7178000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 716f000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 7175000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7172000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 715a000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 714e000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 7103000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 7148000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7142000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7160000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 7109000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 7109000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 7154000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 7127000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7118000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7118000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 7100000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7115000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7115000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 7157000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7151000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 715d000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 714b000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7106000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7163000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 7136000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 713c000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 7145000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 7166000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 7112000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 7112000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7133000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7130000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 711e000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 712a000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 712a000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 712d000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 712d000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 710c000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 70fd000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 7169000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 716c000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 713f000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 7139000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 710f000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 710f000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 711b000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 711b000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 717b000a .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes [F0, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes [DB, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes [E1, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes [D8, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes [E4, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [FC, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70fa000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70fa000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70df000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70df000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70cd000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70cd000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7100000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7100000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [ED, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [D5, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d0000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d0000a .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [EA, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [D2, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [E7, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes [F6, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [F3, 70] .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe[3636] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes [E5, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes [D0, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes [D6, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes [CD, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes [D9, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [F1, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70ef000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70ef000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70d4000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70d4000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70c2000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70c2000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 70f5000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 70f5000a .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [E2, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [CA, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes [C4, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [DF, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [C7, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [DC, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes {JMP 0x72} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [E8, 70] .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[3768] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 3000000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3876] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 0 .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes JMP 0 .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP a2a .text C:\Windows\system32\taskeng.exe[3728] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes JMP 0 .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 1185 .text C:\Program Files\COMODO\GeekBuddy\unit_manager.exe[1044] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes [F0, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes [DB, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes [E1, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes [D8, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes [E4, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes [FC, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 70fa000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70df000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70cd000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7100000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7100000a .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes [ED, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes [D5, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes [CF, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes [EA, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes [D2, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes [E7, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes [F6, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes [F3, 70] .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes {JMP QWORD [RIP+0x71a7001e]} .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[4332] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes JMP 244c894c .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes JMP 8e39b40 C:\Program Files\COMODO\GeekBuddy\QtScript4.dll .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes JMP 8ec9e68 C:\Program Files\COMODO\GeekBuddy\QtScript4.dll .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP fd950000 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 1185 .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\COMODO\GeekBuddy\unit.exe[4776] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70f7000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70e2000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70e8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70df000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70eb000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 7103000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 7100000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70e5000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70d3000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7106000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70f4000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70dc000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d6000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70f1000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70d9000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70ee000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70fd000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70fa000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 7160000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 7154000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 710f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 714e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7148000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7166000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 7115000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 715a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 712d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7124000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 710c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7121000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 715d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7157000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 7163000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 7151000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7112000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7169000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 713c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 7142000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 714b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 716c000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 711e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7139000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7136000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 712a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 7130000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 7133000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 7118000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 7109000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 716f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 7172000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 7145000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 713f000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 711b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 7127000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 7175000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 717b000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7178000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 12a4a8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 1185 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes {JMP QWORD [RIP+0xaf420]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5824] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0xbaf90]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077817ac0 13 bytes {MOV R11, 0x7fefa6e2614; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077841310 13 bytes {MOV R11, 0x7fee4d225ec; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077841330 13 bytes {MOV R11, 0x7fee4d2279c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes JMP 48000001 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather 0000000077841460 13 bytes {MOV R11, 0x7fee4d22874; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter 0000000077841590 13 bytes {MOV R11, 0x7fee4d226c4; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes JMP a01c3e8 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile 0000000077841760 13 bytes {MOV R11, 0x7fee4d2294c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes JMP af0080 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes JMP 8d3ec58 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes JMP 5a5a5a5a .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes JMP 2b2b2b2b .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 0000000077842410 13 bytes {MOV R11, 0x7fee4d22f94; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes JMP b494caa5 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes JMP 60080 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes JMP 8d7d620 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000775d98e0 6 bytes {JMP QWORD [RIP+0x8ac6750]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 00000000775e9040 13 bytes {MOV R11, 0x7fee6269950; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000775f0650 6 bytes {JMP QWORD [RIP+0x8a6f9e0]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007766acf0 6 bytes {JMP QWORD [RIP+0x8a15340]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes [B5, 6F, 1A] .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes {JMP QWORD [RIP+0x12a440]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes JMP 7310 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes JMP 43d9 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes {JMP QWORD [RIP+0x164638]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes {JMP QWORD [RIP+0x143750]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb1a6f0 6 bytes {JMP QWORD [RIP+0xb5940]} .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb40c10 6 bytes JMP 1f501f40 .text C:\Program Files\Nightly\firefox.exe[2032] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd3f50a0 6 bytes {JMP QWORD [RIP+0x4af90]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077813b10 6 bytes {JMP QWORD [RIP+0x882c520]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778413a0 6 bytes {JMP QWORD [RIP+0x87dec90]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077841570 6 bytes {JMP QWORD [RIP+0x8d9eac0]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778415e0 6 bytes {JMP QWORD [RIP+0x8e7ea50]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077841620 6 bytes {JMP QWORD [RIP+0x8e3ea10]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778416c0 6 bytes {JMP QWORD [RIP+0x8e9e970]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077841750 6 bytes {JMP QWORD [RIP+0x8e1e8e0]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077841790 6 bytes {JMP QWORD [RIP+0x8d1e8a0]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778417e0 6 bytes {JMP QWORD [RIP+0x8d3e850]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077841800 6 bytes {JMP QWORD [RIP+0x8e5e830]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778419f0 6 bytes {JMP QWORD [RIP+0x8f1e640]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077841b00 6 bytes {JMP QWORD [RIP+0x8cfe530]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077841bd0 6 bytes {JMP QWORD [RIP+0x8dbe460]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077841d20 6 bytes {JMP QWORD [RIP+0x8ebe310]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077841d30 6 bytes {JMP QWORD [RIP+0x8efe300]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778420a0 6 bytes {JMP QWORD [RIP+0x8dddf90]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077842130 6 bytes {JMP QWORD [RIP+0x8eddf00]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778429a0 6 bytes {JMP QWORD [RIP+0x8dfd690]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077842a20 6 bytes {JMP QWORD [RIP+0x8d5d610]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077842aa0 6 bytes {JMP QWORD [RIP+0x8d7d590]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd959055 3 bytes CALL 0 .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9653c0 5 bytes [FF, 25, 70, AC, 1E] .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff5d22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!BitBlt 000007feff5d24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff5d5bf0 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff5d8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff5d89d8 6 bytes {JMP QWORD [RIP+0x87658]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!GetPixel 000007feff5d9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff5db9f8 6 bytes JMP 0 .text C:\Windows\system32\AUDIODG.EXE[5952] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff5dc8e0 6 bytes JMP 0 .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000779ef9e0 3 bytes JMP 71af000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 00000000779ef9e4 2 bytes JMP 71af000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000779efcb0 3 bytes JMP 70f7000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 00000000779efcb4 2 bytes JMP 70f7000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000779efd64 3 bytes JMP 70e2000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000779efd68 2 bytes JMP 70e2000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000779efdc8 3 bytes JMP 70e8000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 00000000779efdcc 2 bytes JMP 70e8000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000779efec0 3 bytes JMP 70df000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 00000000779efec4 2 bytes JMP 70df000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000779effa4 3 bytes JMP 70eb000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 00000000779effa8 2 bytes JMP 70eb000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779f0004 3 bytes JMP 7103000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 00000000779f0008 2 bytes JMP 7103000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 00000000779f0084 3 bytes JMP 7100000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 00000000779f0088 2 bytes JMP 7100000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779f00b4 3 bytes JMP 70e5000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000779f00b8 2 bytes JMP 70e5000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000779f03b8 3 bytes JMP 70d3000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000779f03bc 2 bytes JMP 70d3000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f0550 3 bytes JMP 7106000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000779f0554 2 bytes JMP 7106000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 00000000779f0694 3 bytes JMP 70f4000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 00000000779f0698 2 bytes JMP 70f4000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 00000000779f088c 3 bytes JMP 70dc000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 00000000779f0890 2 bytes JMP 70dc000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000779f08a4 3 bytes JMP 70d6000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000779f08a8 2 bytes JMP 70d6000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000779f0df4 3 bytes JMP 70f1000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 00000000779f0df8 2 bytes JMP 70f1000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 00000000779f0ed8 3 bytes JMP 70d9000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 00000000779f0edc 2 bytes JMP 70d9000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000779f1be4 3 bytes JMP 70ee000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 00000000779f1be8 2 bytes JMP 70ee000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 00000000779f1cb4 3 bytes JMP 70fd000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 00000000779f1cb8 2 bytes JMP 70fd000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000779f1d8c 3 bytes JMP 70fa000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 00000000779f1d90 2 bytes JMP 70fa000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a11287 6 bytes JMP 71a8000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 6 bytes JMP 719c000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076af1072 6 bytes JMP 7199000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076b1c9b5 6 bytes JMP 7190000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076d7f784 6 bytes JMP 719f000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076d82c9e 4 bytes CALL 71ac0000 .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076888332 6 bytes JMP 7160000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076888bff 6 bytes JMP 7154000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768890d3 6 bytes JMP 710f000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076889679 6 bytes JMP 714e000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768897d2 6 bytes JMP 7148000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007688ee09 6 bytes JMP 7166000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007688efc9 3 bytes JMP 7115000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007688efcd 2 bytes JMP 7115000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768912a5 6 bytes JMP 715a000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007689291f 6 bytes JMP 712d000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetParent 0000000076892d64 3 bytes JMP 7124000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076892d68 2 bytes JMP 7124000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076892da4 6 bytes JMP 710c000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076893698 3 bytes JMP 7121000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007689369c 2 bytes JMP 7121000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076893baa 6 bytes JMP 715d000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076893c61 6 bytes JMP 7157000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076896110 6 bytes JMP 7163000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007689612e 6 bytes JMP 7151000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076896c30 6 bytes JMP 7112000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076897603 6 bytes JMP 7169000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076897668 6 bytes JMP 713c000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768976e0 6 bytes JMP 7142000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007689781f 6 bytes JMP 714b000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007689835c 6 bytes JMP 716c000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007689c4b6 3 bytes JMP 711e000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007689c4ba 2 bytes JMP 711e000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 00000000768ac112 6 bytes JMP 7139000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 00000000768ad0f5 6 bytes JMP 7136000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000768aeb96 6 bytes JMP 712a000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!GetKeyboardState 00000000768aec68 3 bytes JMP 7130000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 00000000768aec6c 2 bytes JMP 7130000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendInput 00000000768aff4a 3 bytes JMP 7133000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendInput + 4 00000000768aff4e 2 bytes JMP 7133000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!GetClipboardData 00000000768c9f1d 6 bytes JMP 7118000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 00000000768d1497 6 bytes JMP 7109000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!mouse_event 00000000768e027b 6 bytes JMP 716f000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768e02bf 6 bytes JMP 7172000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 00000000768e6cfc 6 bytes JMP 7145000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 00000000768e6d5d 6 bytes JMP 713f000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!BlockInput 00000000768e7dd7 3 bytes JMP 711b000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!BlockInput + 4 00000000768e7ddb 2 bytes JMP 711b000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768e88eb 3 bytes JMP 7127000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768e88ef 2 bytes JMP 7127000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770b58b3 6 bytes JMP 7184000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000770b5ea6 6 bytes JMP 717e000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000770b7bcc 6 bytes JMP 718d000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000770bb895 6 bytes JMP 7175000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000770bc332 6 bytes JMP 717b000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000770bcbfb 6 bytes JMP 7187000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000770be743 6 bytes JMP 718a000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000770e4857 6 bytes JMP 7178000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076622642 6 bytes JMP 7196000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076625429 6 bytes JMP 7193000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000753e124e 6 bytes JMP 7181000a .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765d1465 2 bytes [5D, 76] .text C:\Users\Spid3r\Desktop\abc.exe[6168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765d14bb 2 bytes [5D, 76] .text ... * 2 ---- Devices - GMER 2.1 ---- Device \Driver\eugvmc \Device\CCEKrnl fffff8800c02365c ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2052] (Secure overlay library/Microsoft)(2014-09-06 19:35:18) 000007fef66b0000 Library C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2052] 000007fef0bf0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy@Num 23 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0@UID {AFB0F8A0-6393-4FBD-A0DD-E3178D72CAC6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0@Filename C:\Users\Spid3r\Desktop\abc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0@DeviceName C:\Users\Spid3r\Desktop\abc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0@LastID 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0\Rules\0@UID {739DD997-DFAE-49EF-AD05-15BEA6E5E054} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\0\Rules\0@ID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\1@UID {4F5D3FAD-8077-4C6A-9940-4C8511255592} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\1@Filename E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\GMER 2.1.19357.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\1@DeviceName E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\GMER 2.1.19357.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\1\Rules\0@UID {B6DCD950-932D-493C-A228-B44F7CB2CAFE} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\1\Rules\0@Action 6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10@UID {F1170294-6E3C-4D23-8A15-5A28C2D14730} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10@Filename C:\Program Files\COMODO\GeekBuddy\unit.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10@DeviceName C:\Program Files\COMODO\GeekBuddy\unit.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10\Rules\0@UID {883851C7-2DC0-453C-817B-EE961E3AAC61} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\10\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\11@UID {A9FA461F-1A60-48FC-B4A0-B445BE157C70} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\11@Filename C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\11@DeviceName C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\11\Rules\0@UID {EE38C66C-4426-4A13-BA29-DC46235CF09C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\12@UID {2A7BB183-8719-4C81-944A-029E0CF4601A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\12@Filename C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\12@DeviceName C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\12\Rules\0@UID {75D56FEA-7C01-4B48-89B6-A0FCB602D360} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\13@UID {75D0C9E3-EA02-4319-9EC4-6BECDD91A4EA} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\13@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\13@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\13\Rules\0@UID {62AC87A1-25B5-4E97-83C2-8AA97DAC553A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\14@UID {E7417DC1-A1C9-4CAB-BD6A-CDD61C8F6925} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\14@Filename C:\ProgramData\Comodo Downloader\cis\download\installs\3000\xml_binaries\privdog\privdog.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\14@DeviceName C:\ProgramData\Comodo Downloader\cis\download\installs\3000\xml_binaries\privdog\privdog.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\14\Rules\0@UID {0CC047F0-5040-4F40-A050-DF8B9FEA5B85} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@UID {6AEEF1AA-841C-44C9-953B-7B1AF3EE2A66} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@Filename C:\Windows\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@DeviceName C:\Windows\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@LastID 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15@TreatAs Blokowana aplikacja Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\15\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@UID {034BCD9C-9F20-4BAA-AC4D-9C9711E76466} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@Filename C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@DeviceName C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@UID {053F8033-7458-4734-9B0E-9E03943270B2} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@Description Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\16\Rules\0\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17@UID {BBC23523-76C2-46B5-97B0-47DB74D2493D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17@Filename C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17@DeviceName C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17@LastID 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\0@UID {34284C42-4C1B-4B8E-BD38-156AD29B77CE} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\0@ID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\0@Direction 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@UID {3DA555B2-CFEA-4E01-B394-CDC2B94FBF7A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@Action 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@Description Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\17\Rules\1\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18@UID {2B47B710-06F5-43CA-B2E5-3861F3065FFD} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18@Filename C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18@DeviceName C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18\Rules\0@UID {B4500508-AEE3-4B4F-8E51-F9CEC74203CF} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\18\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19@UID {24F41E75-DF36-4CEB-A368-FEE3070034E9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19@Filename System Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19@DeviceName System Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19@LastID 5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules@Num 6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\0@UID {8B8B2F64-F038-45B4-9EAF-134AD023B079} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\0@ID 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\0@Description Zezw?l na wychodz?ce po??czenia od Systemu, je?eli odbiorca znajduje si? w [Dom #3] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\0\DestinationIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\0\DestinationIP@Name Dom #3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@UID {78B0FAE2-B783-4EA1-896A-AB3CF2440BF9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@ID 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@Direction 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@Description Zezw?l na przychodz?ce po??czenia do Systemu, je?eli nadawca znajduje si? w [Dom #3] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP@Name Dom #3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\1\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@UID {984C2ACD-B5CE-4EC0-82E0-C7826FA92944} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@ID 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@Description Zezw?l na wychodz?ce po??czenia od Systemu, je?eli odbiorca znajduje si? w [Dom #2] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP@Name Dom #2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\2\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@UID {C3D1DF88-5047-47E5-A8B5-FA10220413A9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@ID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@Direction 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@Description Zezw?l na przychodz?ce po??czenia do Systemu, je?eli nadawca znajduje si? w [Dom #2] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP@Name Dom #2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\3\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@UID {278015B9-FA07-4BB6-B408-EF4C348FE816} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@ID 25512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@Description Zezw?l na wychodz?ce po??czenia od Systemu, je?eli odbiorca znajduje si? w [Dom #1] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP@Name Dom #1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\4\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@UID {3B3CE91E-08C4-4918-BF7E-78CB0C1CEE84} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@ID 25512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@Direction 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@Description Zezw?l na przychodz?ce po??czenia do Systemu, je?eli nadawca znajduje si? w [Dom #1] Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP@Type 20 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP@Name Dom #1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\19\Rules\5\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\2@UID {95263607-2398-4D4E-B54A-E729F4C4D37A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\2@Filename C:\Users\Spid3r\Desktop\Nowy folder\FRST x64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\2@DeviceName C:\Users\Spid3r\Desktop\Nowy folder\FRST x64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0@UID {6A729528-5FB7-412F-BCD6-82BEDCB0DC21} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\2\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20@UID {24DF266A-3D21-4C66-975C-61C73F8E947F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20@Flags 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20@DeviceName COMODO Internet Security Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20@TreatAs Tylko wychodz?ce Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\20\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21@UID {8D11056A-CF60-4B09-9C3B-8EA6A55AE342} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21@DeviceName Aplikacje Windows Update Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@UID {A549396D-00FA-45F9-957D-2D1F181D1F4C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@Description Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\21\Rules\0\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\22@UID {FA4FBF44-C125-4662-BC51-BF2DF82BAC8A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\22@DeviceName Systemowe aplikacje Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\22\Rules\0@UID {66A7DAC7-155A-413A-827E-FB53374808FE} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3@UID {E41696DC-03B5-4B91-BCFE-449719E6CAD5} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3@Filename E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3@DeviceName E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3@LastID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3\Rules\0@UID {7F28DCD0-A835-45B6-9FA6-E82762F69A8E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\3\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\4@UID {EA979A65-9A8D-457E-AE16-D7C3C7704ED1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\4@Filename C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\4@DeviceName C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\4\Rules\0@UID {12D704EF-1951-476D-9CEA-E6A7CB625691} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5@UID {755867D8-EAF3-4B4D-B9A2-B47476920E09} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5@Filename C:\Program Files\Microsoft Office\Office15\WINWORD.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5@DeviceName C:\Program Files\Microsoft Office\Office15\WINWORD.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5@TreatAs Blokowana aplikacja Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\5\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6@UID {E0A0CE58-60CE-4B31-A221-B1521A022774} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6@Filename C:\Program Files\COMODO\GeekBuddy\unit_manager.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6@DeviceName C:\Program Files\COMODO\GeekBuddy\unit_manager.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@UID {E4CA2799-4C27-4715-B7E1-95BE0D888F94} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@ID 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@Description Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\6\Rules\0\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7@UID {7762B09D-4D50-427B-8C3A-CC21C3E26DE6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7@Filename C:\Program Files\Greenshot\Greenshot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7@DeviceName C:\Program Files\Greenshot\Greenshot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7@TreatAs Blokowana aplikacja Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\7\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@UID {0BDDD6FC-0732-4DDD-855B-6E3FB9AB8602} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@Filename C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@DeviceName C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@LastID 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@UID {8241BC07-AE79-41BD-9B43-83C248743D71} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@Days 127 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@StartHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@StartMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@StopHour 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@StopMinute 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@ID 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@Protocol 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@Direction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@Description Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0@IPProto 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\DestinationIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP@Name Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP\Address Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP\Address@Type 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP\Address\MAC Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP\Address\MAC@AddrType 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\8\Rules\0\SourceIP\Address\MAC@MAC 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\9@UID {E6FD2CBE-BDC1-4473-AB8D-9BBDF3C83744} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\9@Filename C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\9@DeviceName C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\Firewall\Policy\9\Rules\0@UID {B50A71FF-4826-4FBA-B9BF-9B6CFA97707B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy@Num 50 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0@UID {276AF249-8E88-4CB3-B5D3-9DE5453C82AA} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0@Filename C:\Windows\System32\taskhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0@DeviceName C:\Windows\System32\taskhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0\Rules\0\Allowed\0@UID {B1D207C4-5201-4F62-B50C-7042508DE4CD} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0\Rules\0\Allowed\0@Filename *\Software\Microsoft\Cryptography\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\0\Rules\0\Allowed\0@DeviceName *\Software\Microsoft\Cryptography\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1@UID {7E5B4C96-5B0F-4522-BB6F-CF14B9C49AC6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1@Filename C:\Users\Spid3r\Desktop\abc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1@DeviceName C:\Users\Spid3r\Desktop\abc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1@TreatAs Zaufana aplikacja Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\1\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10@UID {73D04105-B1E6-4971-AB44-C25462A3113C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10@Filename C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10@DeviceName C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed@Num 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\0@UID {7C61E978-5D4A-4884-93D0-A32ADF922706} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\0@Filename C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\0@DeviceName C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\1@UID {0D6E6C7C-A36B-4D75-8FDC-FA0643CF84C3} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\1@Filename C:\Program Files\Nightly\xul.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\1@DeviceName C:\Program Files\Nightly\xul.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\2@UID {F15435DC-C04C-4C16-A78C-F78A0E9032D3} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\2@Filename C:\Program Files\Nightly\xul.dll.moz-backup Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\2@DeviceName C:\Program Files\Nightly\xul.dll.moz-backup Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\3@UID {167583CE-FCF7-4924-B64C-196B98FD58E6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\3@Filename C:\Program Files\Nightly\webapprt-stub.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\0\Allowed\3@DeviceName C:\Program Files\Nightly\webapprt-stub.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed\0@UID {D4905946-BEA4-4F79-A6FC-BF8D0D195F0C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed\0@Filename C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Allowed\0@DeviceName C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\10\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11@UID {DF5CD941-CF71-4DBB-9A0D-47C07A3F3D3B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11@Filename C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11@DeviceName C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11\Rules\0\Allowed\0@UID {B4A18E91-96EC-49C5-8EF6-87EF50872B65} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\11\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12@UID {2BC408AB-2BD3-4A06-8C35-F7CCA3B85687} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12@Filename C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12@DeviceName C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\12\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13@UID {1746A994-17F6-4B8C-AE22-180E18583F10} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13@Filename C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13@DeviceName C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13\Rules\0\Allowed\0@UID {29BD6C0E-07C4-4FFF-89BA-B7DA3C6DA8CB} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13\Rules\0\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\13\Rules\0\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14@UID {AB198D87-9157-4BA6-9839-10AA8C126909} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14@Filename C:\Program Files\Easersoft\ExtremeCopy\ExtremeCopy.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14@DeviceName C:\Program Files\Easersoft\ExtremeCopy\ExtremeCopy.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\0@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\1@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\10@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\11@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed\0@UID {4C488C12-C688-44FD-9B47-6117E804BBBC} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed\0@Filename *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Allowed\0@DeviceName *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\2@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\3@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\4@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\5@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\7@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\8@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\14\Rules\9@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15@UID {42F80B01-E2C4-4EF4-BF0B-6F7B44918538} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15@Filename C:\Program Files\Microsoft Office\Office15\WINWORD.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15@DeviceName C:\Program Files\Microsoft Office\Office15\WINWORD.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed@Num 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\0@UID {DA10CF28-0124-4DEF-BF63-50876780DD22} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\1@UID {436892B9-673D-40F7-A52A-400681C6FFD3} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\1@Filename HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\1@DeviceName HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\2@UID {2F6C1BCD-A035-4DF2-81F8-671A3FFC2355} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\2@Filename *\Software\Microsoft\SystemCertificates\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\2@DeviceName *\Software\Microsoft\SystemCertificates\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\3@UID {4FB1B74A-8837-4D83-BAB4-877C4C5592F1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\3@Filename *\SOFTWARE\Policies\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\0\Allowed\3@DeviceName *\SOFTWARE\Policies\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\15\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16@UID {F966289E-312F-4E71-A690-ACAF96237468} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16@Filename C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16@DeviceName C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed\0@UID {79BA004E-2661-41E4-A5AC-C39F88499DF9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed\0@Filename *.sys Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\0\Allowed\0@DeviceName *.sys Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\1@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\10@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\11@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\12@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed\0@UID {9B2ACB0E-1E01-44EF-B3D2-1FFC32D69821} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\2@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\3@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\4@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\5@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\7@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\8@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\16\Rules\9@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17@UID {F0366E27-580B-4D0A-ADCE-7C83429A0A8F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17@Filename C:\Users\Spid3r\Desktop\Nowy folder\OTL.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17@DeviceName C:\Users\Spid3r\Desktop\Nowy folder\OTL.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\17\Rules\0\Allowed\0@UID {958A0402-FD68-4BF6-9F78-8B58425E4E7A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18@UID {A0192D4A-4231-417E-9C7D-945EA00FF4FB} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18@Filename C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18@DeviceName C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\18\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19@UID {714C065E-3730-4558-8525-99C7A98C1C6A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19@Filename C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19@DeviceName C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\0@UID {78816248-911D-48D7-987E-73C1979641D7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\1@UID {1C46C617-43E6-46E0-80A1-474609F4DB03} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\1@Filename HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\0\Allowed\1@DeviceName HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\19\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2@UID {62F58D7E-0CE6-457B-A8AA-F787D408F80C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2@Filename C:\Windows\SysWOW64\WerFault.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2@DeviceName C:\Windows\SysWOW64\WerFault.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20@UID {75ADE06D-365C-4C7A-BDF1-B0379C14BFC5} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20@Filename C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20@DeviceName C:\Program Files\Nightly\firefox.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules@Num 15 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed\0@UID {34BD769E-6B5B-4F4E-9CEA-E4465615B35C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed\0@Filename C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\0\Allowed\0@DeviceName C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\0@UID {A081EB2E-5DE9-4A6E-A7B1-AD6963312920} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\0@Filename C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\0@DeviceName C:\Program Files\Nightly\plugin-container.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\1@UID {AED45E17-4156-4F49-9D22-F19D31467297} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\1@Filename C:\Users\Spid3r\AppData\Roaming\Mozilla\Firefox\Profiles\yt4pry3v.default-1410900132026\FlashGot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\1@DeviceName C:\Users\Spid3r\AppData\Roaming\Mozilla\Firefox\Profiles\yt4pry3v.default-1410900132026\FlashGot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\2@UID {93039243-D8BC-434E-964E-08A0D52D8F3A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\2@Filename C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\1\Allowed\2@DeviceName C:\Users\Spid3r\AppData\Local\Mozilla\updates\A3710B8EBB50CD3\updates\0\updater.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\10@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\11@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\0@UID {5D7CAB48-068F-4D84-97E8-3C55719FDFB7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\1@UID {87D53682-73DA-46E2-8079-EF10CDC178B7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\1@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\1@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\2@UID {5C762237-FDE5-4CD6-8ADC-0DB137E80112} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\2@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Allowed\2@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\14\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\2@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\3@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\4@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\5@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\6@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\7@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\8@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\20\Rules\9@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21@UID {7A6C8362-105D-49AB-BCD4-B43957CFAF21} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21@Filename C:\Program Files\Greenshot\Greenshot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21@DeviceName C:\Program Files\Greenshot\Greenshot.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\0\Allowed\0@UID {3035FB54-0616-4793-A5A1-CD1EC9EF9E0B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\1@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\10@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\11@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\12@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed\0@UID {AD058D20-A648-4C1F-90F0-D24ADD07CA28} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed\0@Filename C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\GreenshotOCRCommand.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Allowed\0@DeviceName C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\GreenshotOCRCommand.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\2@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\3@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\4@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\5@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\7@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\8@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\21\Rules\9@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22@UID {512492F5-C878-4D19-A347-FCBCD8764D84} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22@Filename C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22@DeviceName C:\Users\Spid3r\AppData\Roaming\uTorrent\uTorrent.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed@Num 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\0@UID {587AC701-6DC6-4DEB-BDC8-D718AC8B46E4} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\1@UID {AAB2DF81-C50E-4325-BD09-FE1112418697} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\1@Filename HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\1@DeviceName HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\2@UID {1D449BAD-4028-42BC-A457-5E48F8F318D2} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\2@Filename *\Software\Microsoft\Windows\CurrentVersion\Run* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\2@DeviceName *\Software\Microsoft\Windows\CurrentVersion\Run* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\3@UID {EDC4EAB5-EFF9-4665-A654-4DD099BDD642} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\3@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\0\Allowed\3@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\1@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\1\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\1\Allowed\0@UID {96B6267C-356A-41F2-BC7C-B97755CC082A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\1\Allowed\0@Filename *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\1\Allowed\0@DeviceName *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\10@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\11@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\12@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\13@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\2@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\3@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\4@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\5@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\6@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\7@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\8@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\22\Rules\9@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23@UID {8F394770-C8F8-4096-AD09-6ACB76B20C5C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23@Filename C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23@DeviceName C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\0@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\1@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\10@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\11@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\0@UID {9D0B9045-4108-4D37-8E0F-F247D2174502} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\0@Filename C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\0@DeviceName C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\1@UID {A5F2242D-F541-45F1-B08F-4A711659499C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\1@Filename C:\Program Files\Synaptics\SynTP\SynTPHelper.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\12\Allowed\1@DeviceName C:\Program Files\Synaptics\SynTP\SynTPHelper.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\2@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\3@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\4@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\5@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\7@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\8@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\23\Rules\9@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24@UID {F761561D-BD17-453D-9EC3-D0336A5296BA} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24@Filename C:\Program Files (x86)\Launch Manager\QtZgAcer.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24@DeviceName C:\Program Files (x86)\Launch Manager\QtZgAcer.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\0@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\1@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\10@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\11@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed\0@UID {AB989D54-F012-4E04-A67F-4D4D7862EA1D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed\0@Filename *\SOFTWARE\Classes\*\shell* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\12\Allowed\0@DeviceName *\SOFTWARE\Classes\*\shell* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\2@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\3@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\4@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\5@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\7@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\8@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\24\Rules\9@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25@UID {E088B8CC-3AF8-42FC-8076-EEA0CDDCDA51} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25@Filename C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25@DeviceName C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed\0@UID {D13784CB-E734-4ED4-98E8-491A9EF793AF} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed\0@Filename HKUS\*\Control Panel* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\25\Rules\0\Allowed\0@DeviceName HKUS\*\Control Panel* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26@UID {7D2BCD8C-17F1-40BA-AA32-6A0BFDED1053} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26@Filename C:\Windows\System32\sppsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26@DeviceName C:\Windows\System32\sppsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\0@UID {9B5A4E05-6E22-4043-8F54-6E0AD7172066} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\0@Filename C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\0@DeviceName C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\1@UID {56D93F57-2B29-4B90-869D-4D93B9E7873E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\1@Filename C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\26\Rules\0\Allowed\1@DeviceName C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27@UID {5FC13022-725F-43BC-B6A5-EA74DCD34ED1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27@Filename C:\Program Files (x86)\IObit\Advanced SystemCare 7\DelayLoad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27@DeviceName C:\Program Files (x86)\IObit\Advanced SystemCare 7\DelayLoad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\0@UID {D29541A3-918C-47F7-BEFB-535BEF2309B7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\0@Filename C:\Program Files (x86)\Launch Manager\QtZgAcer.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\0@DeviceName C:\Program Files (x86)\Launch Manager\QtZgAcer.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\1@UID {824785B6-7AEF-47F1-86AB-4ED845DE243B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\1@Filename C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\27\Rules\0\Allowed\1@DeviceName C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28@UID {7C99FA2C-7187-4DED-8B3D-95FF3EC9E5FA} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28@Filename C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28@DeviceName C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\0@UID {75EABAE9-81B5-4CC0-9B46-2CD29FC20361} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\0@Filename C:\Windows\TEMP\ASCService.madExcept\ Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\0@DeviceName C:\Windows\TEMP\ASCService.madExcept\ Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\1@UID {BEF868F0-53F0-4877-ACEF-D6D17465ED5B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\1@Filename C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V7\License.log Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\0\Allowed\1@DeviceName C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V7\License.log Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\0@UID {1EFCACEC-91E0-4187-8254-F77E68838AD0} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\0@Filename C:\Program Files (x86)\IObit\Advanced SystemCare 7\DelayLoad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\0@DeviceName C:\Program Files (x86)\IObit\Advanced SystemCare 7\DelayLoad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\1@UID {261090A8-381C-420F-8794-3DBEF5266DA4} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\1@Filename C:\Program Files (x86)\IObit\Advanced SystemCare 7\Homepage.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Allowed\1@DeviceName C:\Program Files (x86)\IObit\Advanced SystemCare 7\Homepage.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\28\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29@UID {EF954ACD-AB2C-4E4C-89AF-01C4B06489F8} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29@Filename C:\Program Files\COMODO\GeekBuddy\unit.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29@DeviceName C:\Program Files\COMODO\GeekBuddy\unit.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\0@UID {02DE07E4-6B67-4B6D-BD77-6891BF7375B9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\0@Filename *\Software\Microsoft\SystemCertificates\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\0@DeviceName *\Software\Microsoft\SystemCertificates\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\1@UID {3006ECEE-2B7C-42AE-9071-AD5CB411D91F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\1@Filename *\SOFTWARE\Policies\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\1@DeviceName *\SOFTWARE\Policies\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\2@UID {DB4F2763-9FBD-46A9-AD55-43065C20CD3D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\2@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\0\Allowed\2@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\0@UID {082142F6-7725-4584-8412-6A1DB3754B3D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\0@Filename C:\Windows\system32\config\systemprofile\AppData\LocalLow\COMODO\CertSentry\issuers.sst Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\0@DeviceName C:\Windows\system32\config\systemprofile\AppData\LocalLow\COMODO\CertSentry\issuers.sst Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\1@UID {6E0DCFFB-A526-4CBA-91F2-7A904D5E0BC1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\1@Filename C:\Windows\system32\config\systemprofile\AppData\LocalLow\COMODO\CertSentry\subjects.sst Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\1@DeviceName C:\Windows\system32\config\systemprofile\AppData\LocalLow\COMODO\CertSentry\subjects.sst Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\2@UID {9E1DC8C4-1B0C-4920-900B-067787AC5C0B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\2@Filename C:\ProgramData\comodo\lps4\lps-ca\vt.db-journal Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Allowed\2@DeviceName C:\ProgramData\comodo\lps4\lps-ca\vt.db-journal Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\29\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3@UID {A7341785-C8BD-4815-AA89-D508B97721BD} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3@Filename C:\Windows\System32\conhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3@DeviceName C:\Windows\System32\conhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\0\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\3\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30@UID {86CDDF52-E0A9-4D86-A2A7-EFB1E15C59A0} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30@Filename C:\Windows\System32\notepad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30@DeviceName C:\Windows\System32\notepad.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\30\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31@UID {2C73310A-7584-46BC-9B0A-6204D43E6E5E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\finalizesetup.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\finalizesetup.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31\Rules\0\Allowed\0@UID {855E6D0A-101D-451A-A67F-59A8D1EC5EB7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31\Rules\0\Allowed\0@Filename HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ComodoFSDragon Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\31\Rules\0\Allowed\0@DeviceName HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ComodoFSDragon Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32@UID {9843AA41-7FF6-499F-A4CE-3FF06BF70C50} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32@Filename C:\Program Files (x86)\Internet Explorer\ielowutil.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32@DeviceName C:\Program Files (x86)\Internet Explorer\ielowutil.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed\0@UID {68A928D4-2ECD-463D-A1C1-EE2AA09EB77D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\1@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\10@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\11@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\2@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\3@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\4@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\5@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\7@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\8@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\32\Rules\9@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33@UID {1C14A724-65CE-4567-9EC0-36A9AB833A12} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\0\Allowed\0@UID {1004FC54-75F3-487D-9F89-3F0417261128} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\0\Allowed\0@Filename C:\Program Files (x86)\Internet Explorer\ielowutil.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\0\Allowed\0@DeviceName C:\Program Files (x86)\Internet Explorer\ielowutil.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\0@UID {8CFCFD08-45EA-4D99-9A5A-E801DBF1E2DC} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\1@UID {446CAE70-40C8-4726-9ED4-AD6418A631C6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\1@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\1@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\2@UID {9509AFCA-3559-48BF-A776-4379E1587E25} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\2@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Allowed\2@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\33\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34@UID {043E1A91-40D4-4100-B95F-EDFC4969A4B0} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34@Filename C:\ProgramData\Comodo Downloader\cis\download\installs\3000\xml_binaries\privdog\privdog.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34@DeviceName C:\ProgramData\Comodo Downloader\cis\download\installs\3000\xml_binaries\privdog\privdog.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules@Num 15 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\0@UID {47B726C1-604D-44C6-A42C-9B2C3DFC5E49} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\0@Filename *.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\0@DeviceName *.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\1@UID {626CCBA9-E418-4324-91FE-F9DA47D893C1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\1@Filename *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\0\Allowed\1@DeviceName *.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed@Num 6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\0@UID {CDC0601C-84CB-4B67-BAFA-816C961B735B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\0@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\UninstallTrustedAds.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\0@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\UninstallTrustedAds.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\1@UID {780D3BCC-7F21-4FDB-A091-E9AB80DA4C4E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\1@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\magpie.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\1@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\magpie.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\2@UID {DB7C47FB-CB16-4EC5-BE16-D5D8A7FA600F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\2@Filename C:\Windows\SysWOW64\regsvr32.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\2@DeviceName C:\Windows\SysWOW64\regsvr32.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\3@UID {0C01787B-3CB4-4322-9E2E-B7C00988D6C8} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\3@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\scriptservice.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\3@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\scriptservice.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\4@UID {A2D543E9-1CE1-42CE-932F-3A92FE63116C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\4@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\4@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\4@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\5@UID {F57B873F-780A-4C75-A015-0A52559B6074} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\5@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\5@Filename C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\1\Allowed\5@DeviceName C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\10@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\11@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\12@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\0@UID {E10C551C-078A-40CA-933A-73871A6ECDB7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\1@UID {1697FE96-75CC-4CDA-BC6C-618AE11E8DE7} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\1@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\1@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\2@UID {90003298-5BC8-4C83-8563-0D2180577B83} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\2@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Allowed\2@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\14\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\2@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\3@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\4@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\5@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\6@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\8@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\34\Rules\9@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35@UID {D0D46B75-BD62-4BC2-B9B5-39CC29D5692A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35@Filename C:\Windows\System32\regsvr32.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35@DeviceName C:\Windows\System32\regsvr32.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\0@UID {58289A48-05F0-443B-9A5E-DF940C0E4DAB} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\0@Filename *\SOFTWARE\Classes\AppID* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\0@DeviceName *\SOFTWARE\Classes\AppID* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\1@UID {1DECCF5C-AC8E-42E2-976C-1450AE46F21B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\1@Filename *\SOFTWARE\Classes\CLSID* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\1@DeviceName *\SOFTWARE\Classes\CLSID* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\2@UID {D3E038E0-EB9C-480F-AF52-9C87B47D13F4} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\2@Filename HKLM\Software\Classes\Interface\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\35\Rules\0\Allowed\2@DeviceName HKLM\Software\Classes\Interface\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36@UID {B597E06E-056A-49A3-84B6-79CB8B1228E3} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36@Filename C:\Program Files\COMODO\GeekBuddy\unit_manager.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36@DeviceName C:\Program Files\COMODO\GeekBuddy\unit_manager.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules\0\Allowed\0@UID {93E7574C-E0BE-4EA5-A6AE-B96F9AD566A3} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\36\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37@UID {55FF9BEB-FC4B-4D80-AADE-07374B44D1DE} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37@Filename C:\Windows\servicing\TrustedInstaller.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37@DeviceName C:\Windows\servicing\TrustedInstaller.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\0@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed\0@UID {F00AFD88-F072-4A2B-8AC8-CD21347BA21B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Control\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed\0@UID {31416380-A4A3-483F-9FEC-B80675343EEF} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed\0@Filename C:\Windows\WinSxS\ManifestCache\a786a517e28d5687_blobs.bin Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Allowed\0@DeviceName C:\Windows\WinSxS\ManifestCache\a786a517e28d5687_blobs.bin Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\37\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38@UID {DBA7F3ED-1EA8-49BF-8B9F-01F7D47958B6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38@Filename C:\Windows\SysWOW64\dllhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38@DeviceName C:\Windows\SysWOW64\dllhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\38\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39@UID {F8A1EF2B-480B-4CD9-9206-A5EDF749796B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39@Filename C:\Windows\System32\taskeng.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39@DeviceName C:\Windows\System32\taskeng.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\0@UID {EF889701-1DA5-4B86-9321-11279F99FF7F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\0@Filename C:\Program Files\Microsoft Office\Office15\msoia.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\0@DeviceName C:\Program Files\Microsoft Office\Office15\msoia.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\1@UID {EF12DCDF-86FB-4EA1-9001-99FC494F3879} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\1@Filename C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\1@DeviceName C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\2@UID {3A865A7B-3F52-48B9-8B3D-AEE1D27ABC48} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\2@Filename C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\0\Allowed\2@DeviceName C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\1@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\10@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\11@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\12@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\2@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\3@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\4@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\5@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\7@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\8@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\39\Rules\9@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4@UID {FEE6939A-B798-4E7A-8004-925BB384625B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4@Filename E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\GMER 2.1.19357.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4@DeviceName E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\GMER 2.1.19357.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules@Num 15 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed\0@UID {54730D0D-57DC-4078-AA22-A1CAF385FEDA} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed\0@Filename C:\Windows\SysWOW64\WerFault.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\0\Allowed\0@DeviceName C:\Windows\SysWOW64\WerFault.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\1@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\10@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\11@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\14\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\2@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\3@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\4@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\5@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\6@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\8@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\4\Rules\9@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40@UID {B0FBB7CC-8373-473A-A092-4C242EC42581} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40@Filename C:\Windows\System32\dllhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40@DeviceName C:\Windows\System32\dllhost.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\0@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\1@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\10@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\11@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\0@UID {90EA0B23-765F-4A1D-83C4-E759F2359813} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\1@UID {64A4C4E2-5E1F-4717-873F-C1ACB796AD5D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\1@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Allowed\1@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\2@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\3@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\4@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\5@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\6@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\7@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\8@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\40\Rules\9@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41@UID {309E3B8F-D4FF-407A-84C3-DB38684D23C4} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41@Filename C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41@DeviceName C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules\0\Allowed\0@UID {92556E23-B1A7-44D1-B436-E49531D0824D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\41\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42@UID {0870FDA0-D6FB-4D07-AC33-708CB0EA044C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42@Filename C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42@DeviceName C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42\Rules\12\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42\Rules\12\Allowed\0@UID {17D54E2A-01B4-4641-9A6D-4AC72E96B2C9} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42\Rules\12\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\42\Rules\12\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43@UID {5CB0778E-DD20-43E7-96B1-57562C3518DE} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43@Filename C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43@DeviceName C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43\Rules\0\Allowed\0@UID {8CBD952E-4007-4BBD-A9F8-90D76AB6B0E8} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43\Rules\0\Allowed\0@Filename C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\43\Rules\0\Allowed\0@DeviceName C:\Program Files\NVIDIA Corporation\Display\nvtray.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44@UID {EC3041E5-1F7D-4206-989F-580454E4F22F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44@Filename C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44@DeviceName C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules@Num 12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\10@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\11@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\44\Rules\9@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\45@UID {D8BB81BF-82CE-4D25-A77E-4BFC97C565DD} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\45@Flags 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\45@DeviceName Systemowe aplikacje Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\45@TreatAs Aplikacja systemu Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\45\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46@UID {E20272F6-EB6C-4816-84EB-FC1C971B8388} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46@Filename %windir%\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46@DeviceName C:\Windows\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46@TreatAs Aplikacja systemu Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\46\Rules@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\47@UID {BF8F6D19-2225-471F-A56E-99B35D293ECC} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\47@Flags 9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\47@DeviceName Aplikacje Windows Update Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\47@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48@UID {464EC53D-57DD-45B5-AF36-25F768D301F6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48@DeviceName COMODO Internet Security Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48@TreatAs Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections@Num 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions@Num 5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\0@UID {3632D0C4-EECB-473B-A319-6E3466677D4D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\0@DeviceName Systemowe aplikacje Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\1@UID {FB5E0B75-430F-41CB-BE32-779336666ADC} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\1@Filename C:\Program Files\COMODO\COMODO Internet Security\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\1@DeviceName C:\Program Files\COMODO\COMODO Internet Security\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\2@UID {25A70E1C-CB6A-4CAB-A79C-E2905E7FA721} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\2@Filename %windir%\system32\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\2@DeviceName C:\Windows\system32\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\3@UID {1A65BD62-E56C-4490-8D16-3A0795A7EEDF} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\3@Filename %windir%\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\3@DeviceName C:\Windows\explorer.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4@UID {A659A3B6-CC96-425E-A486-EB5824FA3A17} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4@Filename %windir%\SysWOW64\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\0\Exceptions\4@DeviceName C:\Windows\SysWOW64\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions@Num 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\0@UID {90D63AB2-CD84-4246-BA81-728B2007EB8E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\0@DeviceName Systemowe aplikacje Windows Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\1@UID {8EC3779D-0D8A-4877-BB03-C32F268E22DB} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\1@Filename C:\Program Files\COMODO\COMODO Internet Security\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\1@DeviceName C:\Program Files\COMODO\COMODO Internet Security\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\2@UID {5F278254-E4A2-4024-8C45-1CDD0DE2BD22} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\2@Filename %windir%\system32\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\2@DeviceName C:\Windows\system32\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3@UID {E004E1EE-CB3E-4834-AC06-F0A33899EA4D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3@Filename %windir%\SysWOW64\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Protections\1\Exceptions\3@DeviceName C:\Windows\SysWOW64\msiexec.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules@Num 13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\0\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\10\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\11\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\6\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\7\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\8\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\48\Rules\9\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49@UID {7EE319E2-2A20-4808-8B9B-0E2B2C0857C4} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49@DeviceName Wszystkie aplikacje Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules@Num 6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0@UID {386F35A6-CAF7-4FAA-9834-249073E57F09} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0@Condition Os==Vista || Os==Win7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0@Filename ?:\$Recycle.Bin\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\0\Blocked\0@DeviceName ?:\$Recycle.Bin\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed\0@UID {99556C37-F5D6-4BB4-8FF3-436416F55CA5} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Allowed\0@DeviceName Pliki tymczasowe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\1\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed\0@UID {FB1F18F2-7F3E-4A1D-997C-6367A057DC7B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed\0@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Allowed\0@DeviceName Klucze tymczasowe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\2\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed@Num 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\0@UID {6F3E9CF9-DC82-4E8A-80FF-977E6FB4AF5F} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\0@Filename %windir%\system32\msctf.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\0@DeviceName C:\Windows\system32\msctf.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\1@UID {67BFEF20-B462-4808-A11B-DAC8CA6B17AC} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\1@Filename %windir%\system32\shell32.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\1@DeviceName C:\Windows\system32\shell32.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\2@UID {EBAC2E3F-003B-422F-8331-8765101B5A7C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\2@Filename %windir%\system32\browseui.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\2@DeviceName C:\Windows\system32\browseui.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\3@UID {948D397E-4E3A-4BD3-B9CF-1206C407044A} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\3@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\3@Filename %windir%\system32\ieframe.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\3@DeviceName C:\Windows\system32\ieframe.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4@UID {B3BC1BE3-54DC-4B87-A3D0-AC779DE1B95C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4@Filename %windir%\SysWOW64\msctf.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\4@DeviceName C:\Windows\SysWOW64\msctf.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5@UID {AE2A65FD-113B-4487-9FC3-F697774A9130} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5@Filename %windir%\SysWOW64\shell32.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\5@DeviceName C:\Windows\SysWOW64\shell32.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6@UID {0C38728C-5E93-4E66-BBDC-9DBB33A010C1} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6@Filename %windir%\SysWOW64\browseui.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\6@DeviceName C:\Windows\SysWOW64\browseui.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7@UID {3D17C4E5-72A3-4365-A9B1-877147FD4B2E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7@Condition Platform==x64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7@Filename %windir%\SysWOW64\ieframe.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Allowed\7@DeviceName C:\Windows\SysWOW64\ieframe.dll Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\3\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed\0@UID {B9D15C26-2C23-4197-8E93-7F6A61771E35} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed\0@Filename %windir%\system32\ctfmon.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Allowed\0@DeviceName C:\Windows\system32\ctfmon.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\4\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5@DefaultAction 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed\0@UID {3F50C469-8260-4B2D-A6BA-ED87AC7D988C} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed\0@Filename * Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Allowed\0@DeviceName * Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\49\Rules\5\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5@UID {3A2A25A7-FA80-4A4A-BD93-919D23CA38DF} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5@Filename C:\Users\Spid3r\Desktop\Nowy folder\FRST x64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5@DeviceName C:\Users\Spid3r\Desktop\Nowy folder\FRST x64.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules@Num 15 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked\0@UID {C115C71C-24AB-4AC2-93A7-D7DB4B56DC16} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked\0@Filename C:\Windows\ERUNT.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\0\Blocked\0@DeviceName C:\Windows\ERUNT.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\1@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\10@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\11@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\12\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\13\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14@DefaultAction 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14\Allowed Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14\Allowed@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14\Blocked Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\14\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\2@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\3@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\4@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\5@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\6@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\8@Flags 64 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\5\Rules\9@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6@UID {1DC20C16-8DD4-4444-8F22-89AA96BCDC10} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6@Filename E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6@DeviceName E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules@Num 14 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed@Num 3 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\0@UID {8770861F-7841-408E-827F-8AB4E298ECA2} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\0@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\0@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\1@UID {522753BB-A126-4BE8-BDD5-5A027AAC88CB} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\1@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\1@Filename *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\1@DeviceName *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\2@UID {C8A2420F-CA25-4462-8A17-3D06A0A5594D} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\2@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\2@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\0\Allowed\2@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1@Flags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1@DefaultAction 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed\0@UID {6393016F-59D9-4B52-8EA3-BDCDED42DB17} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed\0@Filename E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\1\Allowed\0@DeviceName E:\!!!!Najwa?niejsze pliki\!Do optymalizacji\Clean-up Tools\AdwCleaner v3.310.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\10@Flags 256 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\11@Flags 65536 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\12@Flags 512 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\13@Flags 2097152 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\2@Flags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\3@Flags 4 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\4@Flags 1024 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\5@Flags 2048 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\6@Flags 4096 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\7@Flags 32 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\6\Rules\9@Flags 128 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7@UID {168F3AA2-F2F2-40AB-9B32-0D3F3D2F92C2} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7@Filename C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7@DeviceName C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0@Flags 16 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed\0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed\0@UID {CFD8C278-3F01-4D1E-8487-FD2611E4D7D6} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed\0@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed\0@Filename C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\IdentityCRL\production\temp\sqmdata01.sqm Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Allowed\0@DeviceName C:\Windows\system32\config\systemprofile\AppData\Roaming\microsoft\IdentityCRL\production\temp\sqmdata01.sqm Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\7\Rules\0\Blocked@Num 0 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8@UID {9DFBE9E6-E3E1-48C5-86CD-363697782459} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8@Filename C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8@DeviceName C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8\Rules@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8\Rules\0\Allowed@Num 1 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8\Rules\0\Allowed\0@UID {929B15EC-6B31-40DE-BE3D-4E1C0705A44E} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8\Rules\0\Allowed\0@Filename HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\8\Rules\0\Allowed\0@DeviceName HKLM\SYSTEM\ControlSet???\Services\* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9@UID {7EAB5F5C-2E24-475C-B5DA-B386D05B3070} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9@Filename C:\Program Files\Nightly\uninstall\helper.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9@DeviceName C:\Program Files\Nightly\uninstall\helper.exe Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9\Rules\0@Flags 8 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9\Rules\0\Allowed\0@UID {7AF93F5A-D502-4CC5-A6EF-B2AC63F2567B} Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9\Rules\0\Allowed\0@Filename *\SOFTWARE\Classes\*\DefaultIcon* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\CisConfigs\0\HIPS\Policy\9\Rules\0\Allowed\0@DeviceName *\SOFTWARE\Classes\*\DefaultIcon* Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 140157 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 82701 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1427378F-01E4-4954-85B7-81DA3A1AA628}@LeaseObtainedTime 1411415498 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1427378F-01E4-4954-85B7-81DA3A1AA628}@T1 1411417298 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1427378F-01E4-4954-85B7-81DA3A1AA628}@T2 1411418648 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1427378F-01E4-4954-85B7-81DA3A1AA628}@LeaseTerminatesTime 1411419098 Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----